From: Tu Nguyen (tunguyen@xxxxxxxxxxx)
Date: Thu Sep 06 2001 - 17:46:25 GMT-3
Try this..
access-list 100 permit tcp any eq 25 host 63.161.251.2
access-list 100 permit tcp any eq 53 host 63.161.251.4
access-list 100 permit tcp any eq 53 host 63.161.251.5
access-list 100 permit udp any eq 53 host 63.161.251.4
-----Original Message-----
From: Davis, David [mailto:DDavis@foxgal.com]
Sent: Thursday, September 06, 2001 12:34 PM
To: ccielab@groupstudy.com
Subject: Internet Firewall Router IOS Config
I have been using all my CCIE-candidate access-list & NAT
troubleshooting skills to figure out the config on our new
firewall/router but with no luck. When this access-list is put in place,
DNS inquiries from the servers that the access-list permits on port 53
(for DNS) stop working.
Is this access-list configured correctly for DNS?
Any help is appreciated!
Thanks,
David
The servers on 63.161.251.4 and .5 are our two DNS servers that do not
function once the access-list is put in place.
!
! Last configuration change at 03:11:43 CST Wed Mar 3 1993 by root
! NVRAM config last updated at 03:23:44 CST Wed Mar 3 1993 by root
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname inetrouter
!
logging buffered 4096 notifications
enable secret 5 $1$xZE9$KX4QfCbWvk.x1zFXLGHHg.
!
username root privilege 15 password 7 05070F1924455A1C09
memory-size iomem 20
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip source-route
ip rcmd rsh-enable
ip rcmd remote-host root 17.0.26.1 root enable
ip rcmd remote-username root
no ip domain-lookup
!
!
!
!
!
!
!
interface Ethernet0/0
ip address 192.168.0.1 255.255.255.252 secondary
ip address 192.168.1.1 255.255.255.252 secondary
ip address 17.0.21.21 255.0.0.0
no ip directed-broadcast
no ip proxy-arp
ip nat inside
no cdp enable
!
interface Serial0/0
description Internet T1
ip address 144.232.221.38 255.255.255.252
ip access-group 100 in
no ip directed-broadcast
no ip proxy-arp
ip nat outside
encapsulation ppp
no cdp enable
!
ip nat inside source static 17.0.27.254 63.161.251.9
ip nat inside source static 17.0.18.254 63.161.251.8
ip nat inside source static 17.0.26.1 63.161.251.6
ip nat inside source static 17.0.17.254 63.161.251.4
ip nat inside source static 17.0.39.254 63.161.251.3
ip nat inside source static 17.0.19.254 63.161.251.5
ip nat inside source static 192.168.0.2 63.161.251.1
ip nat inside source static 192.168.1.2 63.161.251.7
ip nat inside source static 17.0.22.254 63.161.251.2
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0 2
no ip http server
!
logging 17.0.19.254
access-list 100 permit ip any host 63.161.251.7
access-list 100 permit ip any host 63.161.251.1
access-list 100 permit tcp any host 63.161.251.2 eq 443
access-list 100 permit tcp any host 63.161.251.2 eq 80
access-list 100 permit tcp any host 63.161.251.2 eq 25
access-list 100 permit tcp any host 63.161.251.4 eq 53
access-list 100 permit tcp any host 63.161.251.5 eq 53
access-list 100 permit udp any host 63.161.251.4 eq 53
access-list 100 permit udp any host 63.161.251.5 eq 53
access-list 100 permit udp any host 63.161.251.4 eq 123
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any host 63.161.251.2 echo
access-list 100 deny ip any any log
no cdp run
!
line con 0
exec-timeout 0 0
login local
transport input none
line aux 0
password 7 14141B180F0B
line vty 0 4
login local
!
ntp clock-period 17208398
ntp server 17.253.100.1
no scheduler allocate
end
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:32:15 GMT-3