From: Angela Ledford (aledford@xxxxxxxxxxx)
Date: Thu Mar 23 2000 - 15:58:19 GMT-3
The original address scope I used allowed 208.50.222.30 0.0.0.3 mask which
would have allowed 208.50.222.30 which didn't work and then I allowed any
any, which is what is listed below which didn't work?? Am I missing
something?
-- Angela Ledford CCNP, CVOICE Specialization, CCNA Network Engineer Pathfinders Networking Corporation 55 W. 22nd Street, Suite 240 Lombard, IL 60148 630-691-8967 (direct) 630-691-8474 (fax)aledford@pathnet.com http://www.pathfindersnetworking.com/
> From: "Maljure, Sanjay" <smaljure@cibernetworks.com> > Date: Thu, 23 Mar 2000 13:39:32 -0500 > To: "'Angela Ledford'" <aledford@pathnet.com>, ccielab@groupstudy.com > Subject: RE: Extended ACLs - DNS Resolution > > Hi Angela, > > Your access-list 105 is applied inbound on s0/0. Hence it will affect only > packets coming into s0/0 > And ur NAT pool for the inside to outside translation is: > > ! > ip nat pool internet 208.50.222.30 208.50.222.30 netmask 255.255.255.252 > ! > > So a packet sourced from any host on the ethernet interface (inside) would > get translated to a source address of 208.50.222.30 > > Which means > > access-list 105 permit any eq domain host 208.50.222.30 > > should allow the DNS query replies to come back to the translated address. U > can change the entries for ICMP, TCP(est), etc. using the 208.50.222.30 > address. > > Ofcourse, u try domain name resolution from the router, then the DNS query > will be sourced with the IP address of S0/0 (207.50.37.34) and u would need > to allow inbound UDP access to this address. > > hope this is helpful > > Sanjay > > > I am having trouble figuring out what I have wrong on this access-list that > won't allow DNS to resolve names based on the servers I have listed. I can > ping the servers and without the access-list, I can resolve names but once I > envoke, it brakes ... config below: > ! > ip subnet-zero > ip tcp synwait-time 5 > ip name-server 206.165.5.10 > ip name-server 206.165.50.10 > > ip audit notify log > ip audit po max-events 100 > ! > ! > process-max-time 200 > ! > interface Loopback0 > ip address 208.50.222.29 255.255.255.252 > no ip directed-broadcast > ip nat inside > ! > interface Ethernet0/0 > description Local LAN > ip address 192.168.2.1 255.255.255.0 > no ip directed-broadcast > ip nat inside > ! > interface Serial0/0 > description Serial Internet Link > bandwidth 384 > ip address 208.50.237.34 255.255.255.252 > ip access-group 105 in > no ip directed-broadcast > ip nat outside > ip access-group 105 in > no ip mroute-cache > no fair-queue > down-when-looped > ! > ip nat pool internet 208.50.222.30 208.50.222.30 netmask 255.255.255.252 > ip nat inside source list 1 pool internet overload > ip classless > ip route 0.0.0.0 0.0.0.0 Serial0/0 > no ip http server > ! > access-list 1 permit 192.168.2.0 0.0.0.255 > access-list 105 deny ip 208.50.222.28 0.0.0.3 any > access-list 105 permit tcp any 208.50.222.28 0.0.0.3 established > access-list 105 permit udp any any eq domain > access-list 105 permit tcp any 208.50.222.28 0.0.0.3 gt 1023 > access-list 105 permit icmp any 208.50.222.28 0.0.0.3 traceroute > access-list 105 permit icmp any 208.50.222.28 0.0.0.3 echo > access-list 105 permit icmp any 208.50.222.28 0.0.0.3 echo-reply > access-list 105 permit icmp any 208.50.222.28 0.0.0.3 ttl-exceeded > access-list 105 permit udp any host 208.50.237.34 eq domain > access-list 105 permit icmp any host 208.50.237.34 echo > access-list 105 permit icmp any host 208.50.237.34 echo-reply > access-list 105 permit icmp any host 208.50.237.34 ttl-exceeded > ! > line con 0 > password pnc > login > transport input none > line aux 0 > password pnc > login > modem InOut > modem autoconfigure type usr_sportster > transport input all > speed 115200 > flowcontrol hardware > line vty 0 4 > password pnc > login > > -- > Angela Ledford CCNP-CVOICE, CCNA > Network Engineer > Pathfinders Networking Corporation > > aledford@pathnet.com > http://www.pathfindersnetworking.com/ >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:06 GMT-3