From: Jerry Toomey (jetoomey@xxxxxxxxx)
Date: Thu Sep 06 2001 - 17:40:16 GMT-3
David,
Shouldn't your access-list use the Outside Global IP address instead of
the Inside Local IP?
Why don't you add these to your access list (before any deny):
access-list 100 permit tcp any host 17.0.17.254 eq 53
access-list 100 permit tcp any host 17.0.19.254 eq 53
access-list 100 permit udp any host 17.0.17.254 eq 53
access-list 100 permit udp any host 17.0.19.254 eq 53
Then, do a "sho access-list 100" and see where the hits are coming from.
Look for "(xxx matches)".
Jerry
--- "Davis, David" <DDavis@foxgal.com> wrote:
> I have been using all my CCIE-candidate access-list & NAT
> troubleshooting skills to figure out the config on our new
> firewall/router but with no luck. When this access-list is put in place,
> DNS inquiries from the servers that the access-list permits on port 53
> (for DNS) stop working.
>
> Is this access-list configured correctly for DNS?
>
> Any help is appreciated!
>
> Thanks,
> David
>
> The servers on 63.161.251.4 and .5 are our two DNS servers that do not
> function once the access-list is put in place.
>
>
>
> !
> ! Last configuration change at 03:11:43 CST Wed Mar 3 1993 by root
> ! NVRAM config last updated at 03:23:44 CST Wed Mar 3 1993 by root
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname inetrouter
> !
> logging buffered 4096 notifications
> enable secret 5 $1$xZE9$KX4QfCbWvk.x1zFXLGHHg.
> !
> username root privilege 15 password 7 05070F1924455A1C09
> memory-size iomem 20
> clock timezone CST -6
> clock summer-time CDT recurring
> ip subnet-zero
> no ip source-route
> ip rcmd rsh-enable
> ip rcmd remote-host root 17.0.26.1 root enable
> ip rcmd remote-username root
> no ip domain-lookup
> !
> !
> !
> !
> !
> !
> !
> interface Ethernet0/0
> ip address 192.168.0.1 255.255.255.252 secondary
> ip address 192.168.1.1 255.255.255.252 secondary
> ip address 17.0.21.21 255.0.0.0
> no ip directed-broadcast
> no ip proxy-arp
> ip nat inside
> no cdp enable
> !
> interface Serial0/0
> description Internet T1
> ip address 144.232.221.38 255.255.255.252
> ip access-group 100 in
> no ip directed-broadcast
> no ip proxy-arp
> ip nat outside
> encapsulation ppp
> no cdp enable
> !
> ip nat inside source static 17.0.27.254 63.161.251.9
> ip nat inside source static 17.0.18.254 63.161.251.8
> ip nat inside source static 17.0.26.1 63.161.251.6
> ip nat inside source static 17.0.17.254 63.161.251.4
> ip nat inside source static 17.0.39.254 63.161.251.3
> ip nat inside source static 17.0.19.254 63.161.251.5
> ip nat inside source static 192.168.0.2 63.161.251.1
> ip nat inside source static 192.168.1.2 63.161.251.7
> ip nat inside source static 17.0.22.254 63.161.251.2
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0/0 2
> no ip http server
> !
> logging 17.0.19.254
> access-list 100 permit ip any host 63.161.251.7
> access-list 100 permit ip any host 63.161.251.1
> access-list 100 permit tcp any host 63.161.251.2 eq 443
> access-list 100 permit tcp any host 63.161.251.2 eq 80
> access-list 100 permit tcp any host 63.161.251.2 eq 25
> access-list 100 permit tcp any host 63.161.251.4 eq 53
> access-list 100 permit tcp any host 63.161.251.5 eq 53
> access-list 100 permit udp any host 63.161.251.4 eq 53
> access-list 100 permit udp any host 63.161.251.5 eq 53
> access-list 100 permit udp any host 63.161.251.4 eq 123
> access-list 100 permit icmp any any echo-reply
> access-list 100 permit icmp any host 63.161.251.2 echo
> access-list 100 deny ip any any log
> no cdp run
> !
> line con 0
> exec-timeout 0 0
> login local
> transport input none
> line aux 0
> password 7 14141B180F0B
> line vty 0 4
> login local
> !
> ntp clock-period 17208398
> ntp server 17.253.100.1
> no scheduler allocate
> end
> **Please read:http://www.groupstudy.com/list/posting.html
=====
Jerry Toomey of http://www.wansend.com can be reached at 877-690-2578
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:15 GMT-3