Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1227
Views
0
Helpful
4
Replies

cbac and dns requests

mateomateo1
Level 1
Level 1

‎06-14-2012 01:57 AM - edited ‎03-11-2019 04:18 PM

can anyone tell me why my dns requests on cbac are not working, I allowed everything from inside out, but dns requests are not allowed for some reasons...


Building configuration...

Current configuration : 3265 bytes
!
! Last configuration change at 08:47:57 UTC Thu Jun 14 2012 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname oecl
!
boot-start-marker
boot-end-marker
!
!
logging buffered 64000
enable secret 5 $1$kIPV$0ixUVG.EY10hIznM/HN5z/
!
aaa new-model
!
!
aaa authentication login default local-case
!
!
!
!
!
aaa session-id common
!
!
no ipv6 source-route
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.28.3.1 10.28.3.2
ip dhcp excluded-address 10.28.4.1 10.28.4.2
!
ip dhcp pool OEC2al
network 10.28.3.0 255.255.255.0
default-router 10.28.3.1
dns-server 10.28.3.1
domain-name oec2al.co.uk
lease 5
!
ip dhcp pool Wellmax
network 10.28.4.0 255.255.255.0
default-router 10.28.4.1
dns-server 10.28.4.1
lease 5
!
!
no ip bootp server
ip name-server 8.8.8.8
ip name-server 4.2.2.5
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall icmp
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FCZ1605705Q
!
!
username admin secret 5 $1$L94s$LrPxn0IWRRu74KEQvlWIL/
!
redundancy
!
!
!
!
ip tcp selective-ack
ip tcp timestamp
ip tcp path-mtu-discovery
!
!
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN
ip address 10.28.9.241 255.255.255.0
ip access-group 102 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
no cdp enable
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 3
ip address 10.28.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address 10.28.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.28.9.251
!
access-list 5 remark -=VTY local access=-
access-list 5 permit 10.28.3.0 0.0.0.255
access-list 100 remark -=NAT access=-
access-list 100 permit ip 10.28.0.0 0.0.255.255 any
access-list 101 remark -=VTY access restriction=-
access-list 101 permit ip host 181.143.217.54 any
access-list 102 remark -=Local firewall=-
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any echo-reply
access-list 102 permit ip host 181.143.217.54 any
!
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 5 in
transport input ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-15-2012 02:09 AM

CBAC configuration looks ok. What DNS server are you using to resolve it? How do you know CBAC is blocking the DNS request?

0 Helpful

mateomateo1
Level 1
Level 1
In response to Jennifer Halim

‎06-15-2012 06:31 AM

I have set up two public dns servers, it works ok until i enable access-list 102, i solved this problem by adding to acl 102 entry permit tcp any eq 53 any, but on different router (also 2911) everything was ok and cbac and same config were similar. What could be wrong?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mateomateo1

‎06-15-2012 06:34 AM

TCP/53? weird..

DNS request normally uses UDP/53, and zone transfer uses TCP/53. Not sure why your DNS request is using TCP

0 Helpful

mateomateo1
Level 1
Level 1
In response to Jennifer Halim

‎06-15-2012 06:59 AM

My fault, of course udp not tcp, but anyway without that entry my dns not working and that is weird

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card