RE: Access-list Problem with UDP Port 53
Title: RE: Access-list Problem with UDP Port 53 Correct, when you make a tcp or udp request ona known port (dns, smtp, ftp,etc, check http://www.isi.edu/in-notes/iana/assignments/port-numbersfor a list), the response from the destination is always (supposed to be always) returned on a port greater than 1023. This was the part that confused me, I couldn't figure out if you were trying to block your clients dns requests or block outside sources from making dns requests to your dns server. Keeping tweaking it and if you need any help just ask. -Original Message-From: Richie, Nathan [mailto:[EMAIL PROTECTED]]Sent: Wednesday, November 29, 2000 2:59 PMTo: '[EMAIL PROTECTED]'Subject: RE: Access-list Problem with UDP Port 53 Basically, I am trying to protect the clients network from the Internet. The serial interface is the gateway to their ISP. I fully understand the purpose of access lists, but I am still becoming familiar with the proper configuration for different scenarios to provide the desired results. I recieved an explanation from another gentleman in our study group. He states that when you receive a DNS querie reply, it uses a UDP greater than 1023. So in order to get DNS reponses, I need to open up UDP port 1023. I will do this using the ISP's DNS servers as the source IP. Hope I made sense here. Thanks for your offer to help.
Access-list Problem with UDP Port 53
Title: Access-list Problem with UDP Port 53 I am having a problem with an access-list on a 2600 router. It used for the clients T1 connection. the access-list as follows: access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 172.16.128.0 0.0.15.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 permit tcp any any established access-list 100 deny icmp any any timestamp-request access-list 100 permit icmp any any access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq smtp access-list 100 permit tcp any any eq pop3 access-list 100 permit udp any any eq domain access-list 100 deny udp any any log access-list 100 deny tcp any any log When this acl is applied inbound on the serial interface, all web browsing stops. Looking at the logs and acl counters, it shows that UDP port 53 is being denied via the access-list 100 deny udp any any log statement. From my understanding, TCP port 53 is used between DNS servers and UDP port 53 is used for DNS queries between clients and DNS servers. The client is not hosting a DNS server, so they only need DNS queries and replies to pass. Upon changing access-list 100 deny udp any any log to access-list 100 permit udp any any log, all web browsing is enabled. Could someone please shed some light on what I am missing here? Thanks in advance, Nathan Richie
Re: Access-list Problem with UDP Port 53
Access-list Problem with UDP Port 53Could you clarify your network configuration? Is the 2600 at your location and connected to the client via the T-1 on serX? I just did some similar but even more restrictive acl's at my job. Tim ""Richie, Nathan"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am having a problem with an access-list on a 2600 router. It used for the clients T1 connection. the access-list as follows: access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 172.16.128.0 0.0.15.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 permit tcp any any established access-list 100 deny icmp any any timestamp-request access-list 100 permit icmp any any access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq smtp access-list 100 permit tcp any any eq pop3 access-list 100 permit udp any any eq domain access-list 100 deny udp any any log access-list 100 deny tcp any any log When this acl is applied inbound on the serial interface, all web browsing stops. Looking at the logs and acl counters, it shows that UDP port 53 is being denied via the "access-list 100 deny udp any any log" statement. From my understanding, TCP port 53 is used between DNS servers and UDP port 53 is used for DNS queries between clients and DNS servers. The client is not hosting a DNS server, so they only need DNS queries and replies to pass. Upon changing "access-list 100 deny udp any any log" to "access-list 100 permit udp any any log", all web browsing is enabled. Could someone please shed some light on what I am missing here? Thanks in advance, Nathan Richie _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access-list Problem with UDP Port 53
Title: Access-list Problem with UDP Port 53 Try the followin: access-list 100 permit udp any eq domain any DNS queries go out on a dynamic UDP source port and the destination UDP port is53. On the response to the DNS query, the UDP datagram is source UDP port 53, and the destination port is whatever dynamic UDP port that was originally the source going out. Your original entry would work fine if it was an outbound access-list, but since it is inbound from the ISP, you need to make the adjustment. Hope this helps ""Richie, Nathan"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am having a problem with an access-list on a 2600 router. It used for the clients T1 connection. the access-list as follows: access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 172.16.128.0 0.0.15.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 permit tcp any any established access-list 100 deny icmp any any timestamp-request access-list 100 permit icmp any any access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq smtp access-list 100 permit tcp any any eq pop3 access-list 100 permit udp any any eq domain access-list 100 deny udp any any log access-list 100 deny tcp any any log When this acl is applied inbound on the serial interface, all web browsing stops. Looking at the logs and acl counters, it shows that UDP port 53 is being denied via the "access-list 100 deny udp any any log" statement. From my understanding, TCP port 53 is used between DNS servers and UDP port 53 is used for DNS queries between clients and DNS servers. The client is not hosting a DNS server, so they only need DNS queries and replies to pass. Upon changing "access-list 100 deny udp any any log" to "access-list 100 permit udp any any log", all web browsing is enabled. Could someone please shed some light on what I am missing here? Thanks in advance, Nathan Richie
