Hi Mike,
You just need to allow DNS replies from A. So correct ACL should looks like:
ip access-list extended ACL-IN
permit tcp any eq www host 10.28.48.1
permit udp host 10.25.7.5 eq domain host 10.28.48.1
and apply it on B (inbound direction).
DNS queries are UDP. TCP is used mainly for DNS servers zone transfers.
question: why don't you apply an ACL on C (on the interface where the server
is located)?
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, SEC)
Technical Instructor
MicronicsTraining.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2009/11/15 mike arnold <haynessmith70_at_gmail.com>
> Garry:
>
> The access-list u defined is as the source is server but in our senario
> source can be anything because it is coming from anywhere from the
> internet.Though i applied ur access-list but no results,
>
>
> Ahmed:
>
> Ur access-list specifies that different sources will access HTTP service on
> this server,Am not publishing my server i want to access internet from this
> server.I tried this also but no results.
>
> Before posting i tried the following access-list on Dynamips.
>
> 24 permit tcp any eq www host 10,28,48.1
> 25 permit tcp any host 10.28.48.1 eq www.
>
> the above access-list works with Dynamips but not working live.I hope am
> missing allowing DNS server ip address because our DNS is on router A .
>
> The below access-list is correct for DNS??? DNS can work on TCP as well as
> on UDP Am not sure,pls confirm.
>
> 26 permit tcp host 10.25.7.5 eq domain host 10.28.37.1
> 27 permit tcp host 10.25.7.5 host 10.28.37.1 eq domain
>
> Pls confirm
> On Sun, Nov 15, 2009 at 2:43 PM, Ahmed Ejaz <aahmedejaz_at_gmail.com> wrote:
>
> > Hi,
> >
> > permit tcp any host 10.1.1.2 eq www
> > deny ip any any
> >
> > HTH
> >
> > Ahmed
> >
> > On Sun, Nov 15, 2009 at 3:02 PM, mike arnold <haynessmith70_at_gmail.com
> >wrote:
> >
> >> PIX----------------A------------
> >> -B-------------------C---------------Server
> >>
> >> Access-list are applied on router B Inbound direction (packets coming
> >> from
> >> A) I want let the server go on the internet for patches upgrade,There
> is
> >> no
> >> such access-list configured for outbound on B (packets coming from
> >> C),before
> >> applying access-list server can go on the internet but after applying
> the
> >> access-list it can't go.The Ip address on server is 10.28.48.1
> >>
> >> Acccess-list configured is
> >>
> >> Extended IP access list Network
> >>
> >> 24 permit tcp any eq www host 10.28.48.1
> >> 35 deny ip any any (4701 matches)
> >>
> >> int vlan 100
> >> ip access-group Network in ( interface facing to A)
> >>
> >> Pls tell me what am missing
> >>
> >> Thanks
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Nov 15 2009 - 12:51:40 ART