Re: Extended ACLs - DNS Resolution

From: David Russell (drussell@xxxxxxxxxxx)
Date: Thu Mar 23 2000 - 15:57:35 GMT-3

• Next message: Angela Ledford: "Re: Extended ACLs - DNS Resolution"
• Previous message: Maljure, Sanjay: "RE: Extended ACLs - DNS Resolution"
• Maybe in reply to: Angela Ledford: "Extended ACLs - DNS Resolution"
• Next in thread: Angela Ledford: "Re: Extended ACLs - DNS Resolution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Wouldn't the DNS reply be coming back from Domain (port 53) to the random
port assigned by NAT. If so your UDP filter would not match since it is
looking for a destination port number of "Domain".

Dave Russell

-----Original Message-----
From: Angela Ledford <aledford@pathnet.com>
To: ccielab@groupstudy.com <ccielab@groupstudy.com>
Date: Thursday, March 23, 2000 12:47 PM
Subject: Extended ACLs - DNS Resolution

>I am having trouble figuring out what I have wrong on this access-list that
>won't allow DNS to resolve names based on the servers I have listed. I can
>ping the servers and without the access-list, I can resolve names but once
I
>envoke, it brakes ... config below:
>!
>ip subnet-zero
>ip tcp synwait-time 5
>ip name-server 206.165.5.10
>ip name-server 206.165.50.10
>
>ip audit notify log
>ip audit po max-events 100
>!
>!
>process-max-time 200
>!
>interface Loopback0
> ip address 208.50.222.29 255.255.255.252
> no ip directed-broadcast
> ip nat inside
>!
>interface Ethernet0/0
> description Local LAN
> ip address 192.168.2.1 255.255.255.0
> no ip directed-broadcast
> ip nat inside
>!
>interface Serial0/0
> description Serial Internet Link
> bandwidth 384
> ip address 208.50.237.34 255.255.255.252
> ip access-group 105 in
> no ip directed-broadcast
> ip nat outside
> ip access-group 105 in
> no ip mroute-cache
> no fair-queue
> down-when-looped
>!
>ip nat pool internet 208.50.222.30 208.50.222.30 netmask 255.255.255.252
>ip nat inside source list 1 pool internet overload
>ip classless
>ip route 0.0.0.0 0.0.0.0 Serial0/0
>no ip http server
>!
>access-list 1 permit 192.168.2.0 0.0.0.255
>access-list 105 deny ip 208.50.222.28 0.0.0.3 any
>access-list 105 permit tcp any 208.50.222.28 0.0.0.3 established
>access-list 105 permit udp any any eq domain
>access-list 105 permit tcp any 208.50.222.28 0.0.0.3 gt 1023
>access-list 105 permit icmp any 208.50.222.28 0.0.0.3 traceroute
>access-list 105 permit icmp any 208.50.222.28 0.0.0.3 echo
>access-list 105 permit icmp any 208.50.222.28 0.0.0.3 echo-reply
>access-list 105 permit icmp any 208.50.222.28 0.0.0.3 ttl-exceeded
>access-list 105 permit udp any host 208.50.237.34 eq domain
>access-list 105 permit icmp any host 208.50.237.34 echo
>access-list 105 permit icmp any host 208.50.237.34 echo-reply
>access-list 105 permit icmp any host 208.50.237.34 ttl-exceeded
>!
>line con 0
> password pnc
> login
> transport input none
>line aux 0
> password pnc
> login
> modem InOut
> modem autoconfigure type usr_sportster
> transport input all
> speed 115200
> flowcontrol hardware
>line vty 0 4
> password pnc
> login
>
>--
>Angela Ledford CCNP-CVOICE, CCNA
>Network Engineer
>Pathfinders Networking Corporation
>
>aledford@pathnet.com
>http://www.pathfindersnetworking.com/
>

• Next message: Angela Ledford: "Re: Extended ACLs - DNS Resolution"
• Previous message: Maljure, Sanjay: "RE: Extended ACLs - DNS Resolution"
• Maybe in reply to: Angela Ledford: "Extended ACLs - DNS Resolution"
• Next in thread: Angela Ledford: "Re: Extended ACLs - DNS Resolution"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:06 GMT-3