Cisco 1841 router

spicytendercrisp · ‎02-22-2013

Hello! I have a cisco 1841 router and a cisco 2900xl switch. I am trying to get my ACL's to work, but when ever I do an extened acl and let certain one in (80,443,21,etc) my computer gets an internet error saying it cannot conntact the dns server. I've tried severl ways to fix it, but cannot seem to get it to work.

Right now i just have access-list 1 on. Eventually I would like to have only "Apple" and 101 on.

Thank you for your help!

-----

Current configuration : 2050 bytes

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 ###########

!

no aaa new-model

!

dot11 syslog

ip source-route

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.5

ip dhcp excluded-address 192.168.1.200 192.168.1.255

no ip dhcp ping packets

!

ip dhcp pool lan

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 8.8.8.8 8.8.4.4

!

ip dhcp pool LAN

default-router 192.168.1.1

dns-server 8.8.8.8 8.8.4.4

!

ip dhcp update dns

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

license udi pid ##### sn #####

!

redundancy

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip access-group 1 in

ip access-group 1 out

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list extended Apple

permit udp any any range 3478 3497

permit tcp any any eq 5223

permit udp any any range 16384 16387

permit udp any any range 16393 16402

!

access-list 1 permit any

access-list 101 pemrit tcp any any eq 80

access-list 101 permit tcp any host 192.168.1.202 eq 3389

access-list 101 permit tcp host 192.168.1.202 any eq 3389

access-list 101 permit tcp any host 192.168.1.202 eq ftp

access-list 101 permit tcp host 192.168.1.202 any eq ftp

!

control-plane

!

line con 0

exec-timeout 2 30

line aux 0

line vty 0 4

password #######

login

transport input all

!

scheduler allocate 20000 1000

end

Marvin Rhoads · ‎02-22-2013

Well neither access list "Apple" or 101 permit DNS (tcp/udp port 53).

Your computer either needs to use a local host file or be allowed to talk to some DNS server, either private or public, in order to resolve names to addresses. If the latter, the ports for DNS (and optionally a DNS server or servers of your choice) will need to be added to your access-list.