https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313331#M858778 <HTML><HEAD></HEAD><BODY><P>Thanks much for the confirmation on my suspicion...think I'll remove and see what happens. Cheers</P></BODY></HTML> Thu, 09 Jul 2009 18:35:00 GMT nagel 2009-07-09T18:35:00Z https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313327#M858765 <P>Can someone explain to me what the difference in the following 2 ACLs are :</P><P></P><P>access-list outside_acl extended permit udp any any eq 4500 </P><P></P><P>access-list outside_acl extended permit udp any eq domain any</P><P></P><P>This is the access-list applied to my outside interface. (in interface outside)</P><P></P><P>The "domain" entry is one that I inherited and is the only one formatted SOURCE PROTOCOL DESTINATION</P><P></P><P>All others are formatted SOURCE DESTINATION PROTOCOL</P><P></P><P>I have googled this till I'm blue in the clicker and I see lots of reference to the exact same entry but no one ever explains exactly "what it does" or why it is "formatted" like that.</P><P></P><P>Thanks in advance for the assistance...</P> Mon, 11 Mar 2019 15:53:08 GMT https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313327#M858765 nagel 2019-03-11T15:53:08Z https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313328#M858769 <HTML><HEAD></HEAD><BODY><P>The difference is:-</P><P></P><P>access-list outside_acl extended permit udp any any eq 4500 - allows any source to any destination, as long as the destination UDP port equals 4500</P><P></P><P>access-list outside_acl extended permit udp any eq domain any - allows any source to any destinaton as long as the source UDP port is 53</P><P></P><P>HTH&gt;</P></BODY></HTML> Thu, 09 Jul 2009 15:10:55 GMT https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313328#M858769 andrew.prince 2009-07-09T15:10:55Z https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313329#M858772 <HTML><HEAD></HEAD><BODY><P>That is exactly what I was looking for. One more question. Still not sure why the DNS entry would be on my outside interface as I can think of no reason why someone coming in from outside would need this access. </P><P></P><P>We do have local DNS on a box inside and and our main DNS is provided by ISP.</P><P></P><P>Any good reason you can think of for having this entry?</P><P></P><P>Thanks again....</P></BODY></HTML> Thu, 09 Jul 2009 16:49:36 GMT https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313329#M858772 nagel 2009-07-09T16:49:36Z https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313330#M858776 <HTML><HEAD></HEAD><BODY><P>Lonnie</P><P></P><P>"Any good reason you can think of for having this entry?"</P><P></P><P>If you are not hosting a DNS server internally that answers requests from the Internet then no i can't see a good reason. Even if you were you would expect the destination to be tied down to at least just your DNS servers.</P><P></P><P>As UDP is pseudo-stateful on the pix, ie a timer is used, then any connections initiated from the inside would not need a line in the outside acl. </P><P></P><P>Perhaps the previous admin was trying to get something working, tried that line and forgot to take it out. Surprising how often that happens <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Jon</P></BODY></HTML> Thu, 09 Jul 2009 17:14:43 GMT https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313330#M858776 Jon Marshall 2009-07-09T17:14:43Z https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313331#M858778 <HTML><HEAD></HEAD><BODY><P>Thanks much for the confirmation on my suspicion...think I'll remove and see what happens. Cheers</P></BODY></HTML> Thu, 09 Jul 2009 18:35:00 GMT https://community.cisco.com/t5/network-security/pix-acl-question-v7-2/m-p/1313331#M858778 nagel 2009-07-09T18:35:00Z