01-23-2013 01:53 PM - edited 03-11-2019 05:51 PM
ello All,
I've got a problem on a router with CBAC and an ACL on the outside interface. When I apply the Access-group INTERNET I loose DNS access from inside. The DNS server is the router and name servers 8.8.8.8 8.8.8.4
Can anyone see what I'm doing wrong here? I've been looking at this for hours and I'm getting the mind blur.
Thanks in advance
Dave
ip inspect name CBAC-1 dns
ip inspect name CBAC-1 ftp
ip inspect name CBAC-1 h323
ip inspect name CBAC-1 https
ip inspect name CBAC-1 icmp
ip inspect name CBAC-1 imap
ip inspect name CBAC-1 pop3
ip inspect name CBAC-1 netshow
ip inspect name CBAC-1 shell
ip inspect name CBAC-1 rtsp
ip inspect name CBAC-1 streamworks
ip inspect name CBAC-1 tftp
ip inspect name CBAC-1 vdolive
ip inspect name CBAC-1 tcp
ip inspect name CBAC-1 udp
ip inspect name CBAC-1 pptp
object-group network ABCD
host 195.X.X.53
82.X.X.144 255.255.255.248
host 84.X.X.242
host 84.X.X.243
82.X.X.16 255.255.255.248
195.X.X.8 255.255.255.248
84.X.X.24 255.255.255.248
host 8.8.8.8
host 85.X.X.4
host 8.8.4.4
host 86.X.X.33
!
interface Dialer1
ip address negotiated
no ip unreachables
ip mtu 1492
ip flow ingress
ip inspect CBAC-1 out
ip access-group INTERNET in
!
ip access-list extended INTERNET
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit icmp any any echo
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit gre any any
permit ahp any any
permit tcp object-group ABCD host 109.X.X.81 eq smtp
permit tcp object-group ABCD host 109.X.X.81 eq 22
permit tcp object-group ABCD host 109.X.X.81 eq 3389
permit udp object-group ABCD host 109.X.X.81 eq snmp
permit tcp any host 109.X.X.81 eq pop3
permit tcp any host 109.X.X.81 eq 143
permit tcp any host 109.X.X.81 eq 443
permit tcp any host 109.X.X.82 eq 443
permit tcp any host 109.X.X.82 eq 9000
permit tcp host 84.X.X.27 host 109.X.X.81 eq smtp
permit tcp host 85.X.X.4 host 109.X.X.84 eq 5060
permit udp host 85.X.X.4 host 109.X.X.84 eq 5060
permit udp object-group ABCD host 109.X.X.81 eq domain
Solved! Go to Solution.
01-23-2013 02:30 PM
ip inspect name CBAC-1 tcp router-traffic
ip inspect name CBAC-1 udp router-traffic
ip inspect name CBAC-1 icmp router-traffic
With that, also the outgoing packets from the router are inspected and the answers are allowed in.
If you want to do it only with the ACL you have to configure it the following way (assuming 109.X.X.81 is your outside IP):
permit udp object-group ABCD eq domain host 109.X.X.81
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-23-2013 02:53 PM
But the version with the "router-trafic" keyword is much more elegant as you don't need all the lines for return-traffic that is sourced by the router. That also can be outgoing pings, ntp and so on. Give it a try ...
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-23-2013 02:30 PM
ip inspect name CBAC-1 tcp router-traffic
ip inspect name CBAC-1 udp router-traffic
ip inspect name CBAC-1 icmp router-traffic
With that, also the outgoing packets from the router are inspected and the answers are allowed in.
If you want to do it only with the ACL you have to configure it the following way (assuming 109.X.X.81 is your outside IP):
permit udp object-group ABCD eq domain host 109.X.X.81
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-23-2013 02:36 PM
Thanks Karsten, Exactly what I was missing was the outbound traffic allow
permit udp object-group ABCD eq domain host 109.X.X.81
01-23-2013 02:53 PM
But the version with the "router-trafic" keyword is much more elegant as you don't need all the lines for return-traffic that is sourced by the router. That also can be outgoing pings, ntp and so on. Give it a try ...
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-24-2013 08:55 AM
Yeah I like it much better. Thanks for this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide