Re: Access List in my Router

touficabro · ‎03-28-2001

I have a Cisco Router 2610 and IOS ver 12.0

and under Serial interface (Access-list) there is a statement (Permit udp any x.x.x.x lt 6901)

if I remove it no one can access to the Internet

as you know the DNS request need udp session and port 53 only why do I need (lt 6901)

I mean (Permit udp statement any x.x.x.x eq 53)

Any comment?

csteinmetz · ‎03-29-2001

An Access list carries an implicit deny all at the end of the list. That is, unless you have an explicit "permit" statement, the traffic will be denied by default.

thisisshanky · ‎05-05-2001

hi,

the statement defines permission of any packet with port no less than 6901

dns falls under this.. but other ports will be used.. say u have a web server.. the source port of packets going out of the web server will be 80 and so on...

bye

shanky

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

infy · ‎05-08-2001

When a DNS query is made it is always done so on port 53 but the reply to the same is received on any available higher number port ( > 1024).

6901 is an arbritrary port that has been selected by whoever has set the access-list, since the reply might also come on any port greater than that( unless it is a DNS to DNS request).

This might result in a few connection being lost, so a safer statement to use would be

Permit udp any x.x.x.x gt 1024

This will allow all dns replies coming in to reach the proxy.

Rajat