Solved: Re: deny all traffic to 53 from outside - Page 2

ilukeberry · ‎10-05-2012

Hi

I've setup Cisco router's DNS server... via "ip dns server" which in need for inside use.. however now if I do portscan from outside it shows port 53 opened. How do I block all traffic to that 53 port from outside since i need this DNS only inside my NAT/Overload network.

I'm using 1900 series.

Karsten Iwen · ‎10-12-2012

But if you plan to give internet-users access to an internal FTP-server in the future, then you also need the FTP-inspection in the inbound direction. But for that you could use the same rule as for your outbound traffic.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ilukeberry · ‎10-12-2012

Adding port 21 to ACL INBOUND and nat forwarding wouldn't be enough?

ip nat inside source static tcp 192.168.20.2 21 21 extendable

permit tcp any host eq 21

Karsten Iwen · ‎10-12-2012

No it would only be enough for the FTP-control-channel. But if the client wants to do passive FTP, the server tells the client on which dynamic port these data is available. And because this session is initiated from the outside to the inside, the FTP-inspection has to be also done in the same direction.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ilukeberry · ‎10-14-2012

Okay i get it.. Thanks for helping out!