If you want to allow your users to receive traffic from other dns servers,
don't you need to allow in traffic with port 53 as the source??
Brian
On Wed, 1 Nov 2000, Brian Morkert wrote:
> You can accomplish this by allowing traffic on ports greater than 1023. Do
> this with the following statement(s).
>
> permit tcp any any gt 1023
> permit udp any any gt 1023
>
> Or...
> you could use reflexive access-lists.
>
> For reflexive access-lists:
> Put the following statement in an outbound access-list and apply it to the
> interface. "my-packets" can be any name you want.
>
> permit ip any any reflect my-packets
>
> Then on your inbound access-list put the following statement as the last
> statement in the list.
>
> evaluate my-packets.
>
> The reflexive access-list is probably a better solution for this
> application.
>
> Best regards,
> Brian Morkert
> CCNA, MCSE
> -----Original Message-----
> From: Curtis Call [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 01, 2000 9:11 AM
> To: [EMAIL PROTECTED]
> Subject: Re: DNS and access-list
>
>
> You mentioned that you have an access-list allowing port 53 for tcp or udp
> but the question is are you filtering the response that is coming back from
> the DNS server. Do you have access-lists filtering traffic coming from that
> direction? It will be responding to a dynamic port number (it's destination
> won't be 53, it'll be whatever your computer decides) so I don't know a way
> to include that into an access-list unless you can force your computer to
> always use a certain port when performing DNS queries (which is something
> that I don't know how to setup).
>
> ---------- Original Message ----------------------------------
> From: "SH Wesson" <[EMAIL PROTECTED]>
> Reply-To: "SH Wesson" <[EMAIL PROTECTED]>
> Date: Wed, 01 Nov 2000 16:19:31 GMT
>
> >I want to allow a particular server to do DNS queries such that when they
> >type www.cisco.com or something like that, it will go to the specify DNS
> >server and find the ip address. I have an access list allowing port 53 for
>
> >tcp and udp and it doesn't work. Can anyone help. Thanks.
> >_________________________________________________________________________
> >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> >
> >Share information about yourself, create your own public profile at
> >http://profiles.msn.com.
> >
> >_________________________________
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> _________________________________
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]