Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
5
Helpful
2
Replies

CISCO 5505

Go to solution
alexa
Level 1
Level 1

‎12-17-2015 02:35 PM - last edited on ‎03-25-2019 05:57 PM by Community Manager

hello all-

i am trying to find some information how can i create a firewall rule to only allow DNS (TCP/UDP) so ports 443/53 UDP are open to 208.67.222.222. i want to allow TCP/UDP IN/OUT to 208.67.222.222 or 208.67.220.220. any help would be greatly appreciated.

thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
rvarelac
Level 7
Level 7

‎12-17-2015 03:57 PM

Hi Alexa, 

The ASA is a stateful firewall which means it will keep a connection table and permit the traffic initiated from a higher security level to a lower security level.  For example the traffic initiated from the inside network to outside ( internet) will be allowed. 

If the DNS request or connection is generated  from outside to inside from this servers, you can try the following config:

access-list  Out_ACL  permit  udp 208.67.222.222 any 53 

access-list  Out_ACL  permit  udp 208.67.222.220 any 53 

access-group Out_ACL   outside in 

Hope it helps

-Randy-

View solution in original post

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎12-17-2015 11:46 PM

hi,

just to add randy's post, if you're doing DNS zone transfer, you may want add DNS TCP port 53.

there's also an ACL implicit deny so you may want to add a line to permit other traffic.

access-list Out_ACL permit tcp 208.67.222.222 any domain
access-list Out_ACL permit tcp 208.67.222.220 any domain  
access-list Out_ACL extended deny tcp any any eq domain
access-list Out_ACL extended deny udp any any eq domain
access-list Out_ACL permit ip any any

View solution in original post

2 Replies 2

Go to solution
rvarelac
Level 7
Level 7

‎12-17-2015 03:57 PM

Hi Alexa, 

The ASA is a stateful firewall which means it will keep a connection table and permit the traffic initiated from a higher security level to a lower security level.  For example the traffic initiated from the inside network to outside ( internet) will be allowed. 

If the DNS request or connection is generated  from outside to inside from this servers, you can try the following config:

access-list  Out_ACL  permit  udp 208.67.222.222 any 53 

access-list  Out_ACL  permit  udp 208.67.222.220 any 53 

access-group Out_ACL   outside in 

Hope it helps

-Randy-

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎12-17-2015 11:46 PM

hi,

just to add randy's post, if you're doing DNS zone transfer, you may want add DNS TCP port 53.

there's also an ACL implicit deny so you may want to add a line to permit other traffic.

access-list Out_ACL permit tcp 208.67.222.222 any domain
access-list Out_ACL permit tcp 208.67.222.220 any domain  
access-list Out_ACL extended deny tcp any any eq domain
access-list Out_ACL extended deny udp any any eq domain
access-list Out_ACL permit ip any any

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card