Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
502
Views
0
Helpful
4
Replies

ACL help

Go to solution
davidfield
Level 3
Level 3

‎01-23-2013 01:53 PM - edited ‎03-11-2019 05:51 PM

ello All,

I've got a problem on a router with CBAC and an ACL on the outside interface.     When I apply the Access-group INTERNET I loose DNS access from inside.  The DNS server is the router and name servers 8.8.8.8 8.8.8.4

Can anyone see what I'm  doing wrong here?  I've been looking at this for hours and I'm getting the mind blur.

Thanks in advance

Dave

ip inspect name CBAC-1 dns

ip inspect name CBAC-1 ftp

ip inspect name CBAC-1 h323

ip inspect name CBAC-1 https

ip inspect name CBAC-1 icmp

ip inspect name CBAC-1 imap

ip inspect name CBAC-1 pop3

ip inspect name CBAC-1 netshow

ip inspect name CBAC-1 shell

ip inspect name CBAC-1 rtsp

ip inspect name CBAC-1 streamworks

ip inspect name CBAC-1 tftp

ip inspect name CBAC-1 vdolive

ip inspect name CBAC-1 tcp

ip inspect name CBAC-1 udp

ip inspect name CBAC-1 pptp

object-group network ABCD

host 195.X.X.53

82.X.X.144 255.255.255.248

host 84.X.X.242

host 84.X.X.243

82.X.X.16 255.255.255.248

195.X.X.8 255.255.255.248

84.X.X.24 255.255.255.248

  host 8.8.8.8

host 85.X.X.4

host 8.8.4.4

host 86.X.X.33

!

interface Dialer1

ip address negotiated

no ip unreachables

ip mtu 1492

ip flow ingress

ip inspect CBAC-1 out

ip access-group INTERNET in

!

ip access-list extended INTERNET

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

permit icmp any any echo

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit esp any any

permit gre any any

permit ahp any any

permit tcp object-group ABCD host 109.X.X.81 eq smtp

permit tcp object-group ABCD host 109.X.X.81 eq 22

permit tcp object-group ABCD host 109.X.X.81 eq 3389

permit udp object-group ABCD host 109.X.X.81 eq snmp

permit tcp any host 109.X.X.81 eq pop3

permit tcp any host 109.X.X.81 eq 143

permit tcp any host 109.X.X.81 eq 443

permit tcp any host 109.X.X.82 eq 443

permit tcp any host 109.X.X.82 eq 9000

permit tcp host 84.X.X.27 host 109.X.X.81 eq smtp

permit tcp host 85.X.X.4 host 109.X.X.84 eq 5060

permit udp host 85.X.X.4 host 109.X.X.84 eq 5060

permit udp object-group ABCD host 109.X.X.81 eq domain

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-23-2013 02:30 PM

ip inspect name CBAC-1 tcp router-traffic

ip inspect name CBAC-1 udp  router-traffic

ip inspect name CBAC-1 icmp router-traffic

With that, also the outgoing packets from the router are inspected and the answers are allowed in.

If you want to do it only with the ACL you have to configure it the following way (assuming 109.X.X.81 is your outside IP):

permit udp object-group ABCD eq domain host 109.X.X.81

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to davidfield

‎01-23-2013 02:53 PM

But the version with the "router-trafic" keyword is much more elegant as you don't need all the lines for return-traffic that is sourced by the router. That also can be outgoing pings, ntp and so on. Give it a try ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎01-23-2013 02:30 PM

ip inspect name CBAC-1 tcp router-traffic

ip inspect name CBAC-1 udp  router-traffic

ip inspect name CBAC-1 icmp router-traffic

With that, also the outgoing packets from the router are inspected and the answers are allowed in.

If you want to do it only with the ACL you have to configure it the following way (assuming 109.X.X.81 is your outside IP):

permit udp object-group ABCD eq domain host 109.X.X.81

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
davidfield
Level 3
Level 3
In response to Karsten Iwen

‎01-23-2013 02:36 PM

Thanks Karsten,  Exactly what I was missing was the outbound traffic allow

permit udp object-group ABCD eq domain host 109.X.X.81

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to davidfield

‎01-23-2013 02:53 PM

But the version with the "router-trafic" keyword is much more elegant as you don't need all the lines for return-traffic that is sourced by the router. That also can be outgoing pings, ntp and so on. Give it a try ...

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
davidfield
Level 3
Level 3
In response to Karsten Iwen

‎01-24-2013 08:55 AM

Yeah I like it much better.  Thanks for this.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card