ACL problem

From: Geert Nijs (geert.nijs@simac.be)
Date: Wed Jun 23 2004 - 03:16:16 GMT-3

• Next message: Devi Mallampalli: "RE: Sh IP BGP Sum - T/S the BGP neighbors."
• Previous message: cl: "questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have a router connected to the internet and it has the following access-list configured in the INCOMING (!)
direction on the Internet interface:

access-list 110 deny ip 0.0.0.0 0.255.255.255 any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 permit tcp any any established
access-list 110 permit udp host x.x.x.x any eq domain
access-list 110 permit icmp host y.y.y.y any echo-reply
access-list 110 permit icmp host z.z.z.z any echo-reply
access-list 110 deny ip any any log

x.x.x.x is a DNS server on the Internet.

The problem is that DNS is working, and i don't understand how this is possible with the above access-list ?

The thing that bothered me was the line:

access-list 110 permit udp host x.x.x.x any eq domain

Shouldn't this be:

access-list 110 permit udp host x.x.x.x eq domain any

And with the above configuration, shouldn't DNS request/answers be dropped ? or am i overlooking something simple here ?

PS. Router runs version 12.2(23)

Regards,
Geert
#####################################################################################
This e-mail and any attached files are confidential and may be legally privileged.
If you are not the addressee, any disclosure, reproduction, copying, distribution,
or other dissemination or use of this communication is strictly prohibited.
If you have received this transmission in error please notify Simac immediately
and then delete this e-mail.

Simac has taken all reasonable precautions to avoid virusses in this email.
Simac does not accept liability for damage by virusses, for the correct and complete
transmission of the information, nor for any delay or interruption of the transmission,
nor for damages arising from the use of or reliance on the information.

All e-mail messages addressed to, received or sent by Simac or Simac employees
are deemed to be professional in nature. Accordingly, the sender or recipient of
these messages agrees that they may be read by other Simac employees than the official
recipient or sender in order to ensure the continuity of work-related activities
and allow supervision thereof.
#####################################################################################

• Next message: Devi Mallampalli: "RE: Sh IP BGP Sum - T/S the BGP neighbors."
• Previous message: cl: "questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:48 GMT-3