From: Jay Hennigan (jay@xxxxxxxx)
Date: Thu Sep 06 2001 - 17:46:00 GMT-3
On Thu, 6 Sep 2001, Davis, David wrote:
> I have been using all my CCIE-candidate access-list & NAT
> troubleshooting skills to figure out the config on our new
> firewall/router but with no luck. When this access-list is put in place,
> DNS inquiries from the servers that the access-list permits on port 53
> (for DNS) stop working.
>
> Is this access-list configured correctly for DNS?
Snippet follows:
access-list 100 permit tcp any host 63.161.251.4 eq 53
access-list 100 permit tcp any host 63.161.251.5 eq 53
access-list 100 permit udp any host 63.161.251.4 eq 53
access-list 100 permit udp any host 63.161.251.5 eq 53
UDP is used for regular DNS queries and TCP for zone transfers. So unless
the machines on 251.4 and 251.5 are authoritative nameservers, you don't
need TCP. From your question, I'm not sure if the machines on 251.4 and
251.5 are themselves nameservers or are querying external nameservers, and
whether the issue is that the outside world can't reach them or that they
can't resolve when pulling from outside nameservers.
I think your problem is that the machines at 251.4 and 251.5 are unable
to receive responses from outside nameservers. This is because your
port specification is backwards for a DNS response. Try the following
instead of (or in addition to) the above four lines:
access-list 100 permit udp any eq 53 host 63.161.251.4 gt 1023
access-list 100 permit udp any eq 53 host 63.161.251.5 gt 1023
The response to a DNS query will have a source port of 53 and the same
random high port as the originating query. Your filter will block all
UDP unless the destination port is 53.
For tighter security, replace the "any" in the above lines with the host
IP(s) of the specific external nameserver(s) your ISP specifies that you
use, unless you need to resolve from anywhere.
By the way, you'll probably have trouble connecting to anything at
apple.com. Is there a reason that you used 17.0.0.0/8 for internal
private addresses?
> Any help is appreciated!
Another trick, put as the last line:
access-list 100 deny ip any any log-input
This will display on the console in real time what the filter is blocking,
very handy for troubleshooting.
> The servers on 63.161.251.4 and .5 are our two DNS servers that do not
> function once the access-list is put in place.
>
>
>
> !
> ! Last configuration change at 03:11:43 CST Wed Mar 3 1993 by root
> ! NVRAM config last updated at 03:23:44 CST Wed Mar 3 1993 by root
> !
> version 12.0
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname inetrouter
> !
> logging buffered 4096 notifications
> enable secret 5 $1$xZE9$KX4QfCbWvk.x1zFXLGHHg.
> !
> username root privilege 15 password 7 05070F1924455A1C09
> memory-size iomem 20
> clock timezone CST -6
> clock summer-time CDT recurring
> ip subnet-zero
> no ip source-route
> ip rcmd rsh-enable
> ip rcmd remote-host root 17.0.26.1 root enable
> ip rcmd remote-username root
> no ip domain-lookup
> !
> !
> !
> !
> !
> !
> !
> interface Ethernet0/0
> ip address 192.168.0.1 255.255.255.252 secondary
> ip address 192.168.1.1 255.255.255.252 secondary
> ip address 17.0.21.21 255.0.0.0
> no ip directed-broadcast
> no ip proxy-arp
> ip nat inside
> no cdp enable
> !
> interface Serial0/0
> description Internet T1
> ip address 144.232.221.38 255.255.255.252
> ip access-group 100 in
> no ip directed-broadcast
> no ip proxy-arp
> ip nat outside
> encapsulation ppp
> no cdp enable
> !
> ip nat inside source static 17.0.27.254 63.161.251.9
> ip nat inside source static 17.0.18.254 63.161.251.8
> ip nat inside source static 17.0.26.1 63.161.251.6
> ip nat inside source static 17.0.17.254 63.161.251.4
> ip nat inside source static 17.0.39.254 63.161.251.3
> ip nat inside source static 17.0.19.254 63.161.251.5
> ip nat inside source static 192.168.0.2 63.161.251.1
> ip nat inside source static 192.168.1.2 63.161.251.7
> ip nat inside source static 17.0.22.254 63.161.251.2
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0/0 2
> no ip http server
> !
> logging 17.0.19.254
> access-list 100 permit ip any host 63.161.251.7
> access-list 100 permit ip any host 63.161.251.1
> access-list 100 permit tcp any host 63.161.251.2 eq 443
> access-list 100 permit tcp any host 63.161.251.2 eq 80
> access-list 100 permit tcp any host 63.161.251.2 eq 25
> access-list 100 permit tcp any host 63.161.251.4 eq 53
> access-list 100 permit tcp any host 63.161.251.5 eq 53
> access-list 100 permit udp any host 63.161.251.4 eq 53
> access-list 100 permit udp any host 63.161.251.5 eq 53
> access-list 100 permit udp any host 63.161.251.4 eq 123
> access-list 100 permit icmp any any echo-reply
> access-list 100 permit icmp any host 63.161.251.2 echo
> access-list 100 deny ip any any log
> no cdp run
> !
> line con 0
> exec-timeout 0 0
> login local
> transport input none
> line aux 0
> password 7 14141B180F0B
> line vty 0 4
> login local
> !
> ntp clock-period 17208398
> ntp server 17.253.100.1
> no scheduler allocate
> end
> **Please read:http://www.groupstudy.com/list/posting.html
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323 **Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:15 GMT-3