RE: DNS and access-list

Wed, 01 Nov 2000 11:29:41 -0800 

You can accomplish this by allowing traffic on ports greater than 1023.  Do
this with the following statement(s).

permit tcp any any gt 1023
permit udp any any gt 1023

Or...
you could use reflexive access-lists.

For reflexive access-lists:
Put the following statement in an outbound access-list and apply it to the
interface.  "my-packets" can be any name you want.

permit ip any any reflect my-packets

Then on your inbound access-list put the following statement as the last
statement in the list.

evaluate my-packets.

The reflexive access-list is probably a better solution for this
application.

Best regards,
Brian Morkert
CCNA, MCSE
-----Original Message-----
From: Curtis Call [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 01, 2000 9:11 AM
To: [EMAIL PROTECTED]
Subject: Re: DNS and access-list


You mentioned that you have an access-list allowing port 53 for tcp or udp
but the question is are you filtering the response that is coming back from
the DNS server.  Do you have access-lists filtering traffic coming from that
direction?  It will be responding to a dynamic port number (it's destination
won't be 53, it'll be whatever your computer decides) so I don't know a way
to include that into an access-list unless you can force your computer to
always use a certain port when performing DNS queries (which is something
that I don't know how to setup).

---------- Original Message ----------------------------------
From: "SH Wesson" <[EMAIL PROTECTED]>
Reply-To: "SH Wesson" <[EMAIL PROTECTED]>
Date: Wed, 01 Nov 2000 16:19:31 GMT

>I want to allow a particular server to do DNS queries such that when they 
>type www.cisco.com or something like that, it will go to the specify DNS 
>server and find the ip address.  I have an access list allowing port 53 for

>tcp and udp and it doesn't work.  Can anyone help.  Thanks.
>_________________________________________________________________________
>Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
>Share information about yourself, create your own public profile at 
>http://profiles.msn.com.
>
>_________________________________
>FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to