https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817108#M985554 <HTML><HEAD></HEAD><BODY><P>Yes, palomoj has this right. The return traffic would have a source port of 53 and a destination port of any.</P></BODY></HTML> Mon, 02 Jul 2007 12:26:36 GMT acomiskey 2007-07-02T12:26:36Z https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817103#M985549 <P>I have a 1721 router at home as my gateway to the internet and firewall, running fw ios 12.3.22. i have 5 static ips and currently using 2 internal networks each one on a different public ip. i have overloaded nat set up and the actual ip on the internet facing interface is in the middle of my range and at the moment not in use. the problem im having is return udp traffic. I do not want to permit everything inbound on the wan side so i set up an access list to allow the inbound traffic i needed and return udp traffic. The problem so far has been DNS. When i looked at the logged blocks it looks like the return dns traffic is going to a different port then 53. I am guessing this is due to the natting but i do not know what the best way to get around this is. i have the permit any any eq 53 but because the retrun traffic seems to be coming in on a different port.</P> Mon, 11 Mar 2019 10:38:11 GMT https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817103#M985549 ryancolson 2019-03-11T10:38:11Z https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817104#M985550 <HTML><HEAD></HEAD><BODY><P>Do you have DNS inspection enabled? </P><P></P><P>If you want to permit return DNS replies through your WAN ACL you need to have an ACL entry like the following:</P><P></P><P>permit udp any eq domain any</P><P></P><P>or </P><P></P><P>permit udp host x.x.x.x eq domain any</P></BODY></HTML> Mon, 02 Jul 2007 02:45:28 GMT https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817104#M985550 palomoj 2007-07-02T02:45:28Z https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817105#M985551 <HTML><HEAD></HEAD><BODY><P>i have a line in there</P><P>access-list 101 permit udp any any eq 53</P><P>I had the denied traffic loged and the dest. port on the return dns querys wasnt port 53</P></BODY></HTML> Mon, 02 Jul 2007 02:55:27 GMT https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817105#M985551 ryancolson 2007-07-02T02:55:27Z https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817106#M985552 <HTML><HEAD></HEAD><BODY><P>that ACL line does not apply to return UDP DNS replies, it will allow inbound UDP DNS resolution requests</P></BODY></HTML> Mon, 02 Jul 2007 04:28:22 GMT https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817106#M985552 palomoj 2007-07-02T04:28:22Z https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817107#M985553 <HTML><HEAD></HEAD><BODY><P>so the acl for any return udp traffic would be</P><P></P><P>permit udp any eq <PORT number=""> any?</PORT></P></BODY></HTML> Mon, 02 Jul 2007 12:11:23 GMT https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817107#M985553 ryancolson 2007-07-02T12:11:23Z https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817108#M985554 <HTML><HEAD></HEAD><BODY><P>Yes, palomoj has this right. The return traffic would have a source port of 53 and a destination port of any.</P></BODY></HTML> Mon, 02 Jul 2007 12:26:36 GMT https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817108#M985554 acomiskey 2007-07-02T12:26:36Z https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817109#M985555 <HTML><HEAD></HEAD><BODY><P>Thank you very much. I am still kinda new at this and i really appreciate you guys helping me out. Also just out of curiosity is their any way to make all blocked ports not respond instead of responding as closed or blocked(to stealth them)</P></BODY></HTML> Mon, 02 Jul 2007 12:29:21 GMT https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817109#M985555 ryancolson 2007-07-02T12:29:21Z https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817110#M985556 <HTML><HEAD></HEAD><BODY><P>It's probably better to use reflexive acl's in this case..</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7bb.html" target="_blank">http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7bb.html</A></P></BODY></HTML> Mon, 02 Jul 2007 16:53:46 GMT https://community.cisco.com/t5/network-security/return-traffic-acl-issues/m-p/817110#M985556 srue 2007-07-02T16:53:46Z