Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1786
Views
0
Helpful
4
Replies

Access-list syntax order

Go to solution
simonbmadsen
Level 1
Level 1

‎05-08-2013 01:09 PM - edited ‎02-20-2020 09:43 PM

Hello

I have a little question regarding the order in the syntax for an Access-list. I have made my access-list work now, but i dont understand why.

It looked like this when it wasnt working:

(outside interface inbound traffic)

access-list 100 permit tcp any any established log

access-list 100 permit udp any any eq domain log

access-list 100 permit tcp any any eq domain log

access-list 100 deny ip any any log

To make it work i had to add these two lines:

access-list 100 permit udp any eq domain any log

access-list 100 permit tcp any eq domain any log

I dont understand the difference between

access-list 100 permit udp any eq domain any

and

access-list 100 permit udp any any eq domain

If you are wondering what the main goal with the list is, it is to allow traffic from inside out, and deny all other traffic, except connections established from the inside and domain UDP traffic which is needed beacuse UDP has no session.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to simonbmadsen

‎05-09-2013 08:27 AM

Hi,

Again, my understanding is that this ACL 100 is attached to the WAN interface of a router in the direction "in". This means its controlling traffic entering your LAN network.

Now when we look at how DNS works with regards to this ACL

  • DNS lookup is done to destination port UDP/53 usually
  • PC uses random source port for the DNS lookup
  • DNS server replies to the lookup with source port UDP/53
  • DNS server replies to the PC on the port that the PC sourced the DNS lookup

So naturally you will only see DNS replys sourced from the source host and source port UDP/53

If the ACL with the destination port UDP/53 was getting any hits, it would mean that you would be hosting a DNS server and DNS lookups were destined to your network.

Also to your other question. If you dont define any port while using TCP/UDP in the ACL then it accepts any source/destination port

Hope this helps

Remember to mark the question as answered if it did.

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-08-2013 01:38 PM

Hi,

You say that this ACL named "100" was attached to the WAN interface in the direction "in"?

Then it makes sense that with the original version it didnt work.

When your LAN host is doing a DNS query to a public DNS server then the destination port is UDP/53

Now when the DNS server replys to the host then naturally the DNS reply is seen coming from the DNS server IP address AND from the source port UDP/53

Just like the added ACLs say

access-list 100 permit udp any eq domain any log

access-list 100 permit tcp any eq domain any log

Allow UDP/TCP/53 traffic from any source address to any destination.

Hope this helps

Remember to mark the question as answered if it did.

- Jouni

0 Helpful

Go to solution
simonbmadsen
Level 1
Level 1
In response to Jouni Forss

‎05-09-2013 08:21 AM

Thank your for your comment

It answered my question partly. But as i understand it, the syntax is as follows:

access-list

access-list    100       permit       udp           any      eq 53        any                          (the working one)

access-list    100       permit       udp           any                      any           eq 53       (the not working one)

I dont understand why one of them wont work unless the distination port of the DNS server packet is something different than 53?

if you dont define a source port it accepts any port right?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to simonbmadsen

‎05-09-2013 08:27 AM

Hi,

Again, my understanding is that this ACL 100 is attached to the WAN interface of a router in the direction "in". This means its controlling traffic entering your LAN network.

Now when we look at how DNS works with regards to this ACL

  • DNS lookup is done to destination port UDP/53 usually
  • PC uses random source port for the DNS lookup
  • DNS server replies to the lookup with source port UDP/53
  • DNS server replies to the PC on the port that the PC sourced the DNS lookup

So naturally you will only see DNS replys sourced from the source host and source port UDP/53

If the ACL with the destination port UDP/53 was getting any hits, it would mean that you would be hosting a DNS server and DNS lookups were destined to your network.

Also to your other question. If you dont define any port while using TCP/UDP in the ACL then it accepts any source/destination port

Hope this helps

Remember to mark the question as answered if it did.

- Jouni

0 Helpful

Go to solution
simonbmadsen
Level 1
Level 1
In response to Jouni Forss

‎05-09-2013 08:36 AM

You are correct, it is on the WAN interface IN direction.

"DNS server replies to the PC on the port that the PC sourced the DNS lookup"   <--- this is the reason (and what i was looking for) if it replies to the random port the pc used, it would never permit it with destination eq 53 on the in direction

I was so focused on the ACL that i forgot about the DNS.

Thank you for your help.

/ Simon

0 Helpful
Customers Also Viewed These Support Documents