03-28-2001 09:39 AM - edited 02-20-2020 09:15 PM
I have a Cisco Router 2610 and IOS ver 12.0
and under Serial interface (Access-list) there is a statement (Permit udp any x.x.x.x lt 6901)
if I remove it no one can access to the Internet
as you know the DNS request need udp session and port 53 only why do I need (lt 6901)
I mean (Permit udp statement any x.x.x.x eq 53)
Any comment?
03-29-2001 04:09 PM
An Access list carries an implicit deny all at the end of the list. That is, unless you have an explicit "permit" statement, the traffic will be denied by default.
05-05-2001 07:22 PM
hi,
the statement defines permission of any packet with port no less than 6901
dns falls under this.. but other ports will be used.. say u have a web server.. the source port of packets going out of the web server will be 80 and so on...
bye
shanky
05-08-2001 02:37 AM
When a DNS query is made it is always done so on port 53 but the reply to the same is received on any available higher number port ( > 1024).
6901 is an arbritrary port that has been selected by whoever has set the access-list, since the reply might also come on any port greater than that( unless it is a DNS to DNS request).
This might result in a few connection being lost, so a safer statement to use would be
Permit udp any x.x.x.x gt 1024
This will allow all dns replies coming in to reach the proxy.
Rajat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide