Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
5
Replies

Cisco 1750 + firewall and DNS problem

luis_capriles
Level 1
Level 1

‎11-14-2001 02:58 PM - edited ‎03-08-2019 09:09 PM

Hi everybody!!

Excuse my lack of knowledge on the subject!!!

I am configuring a firewall by filtering protocols for a 1750 router using ConfigMaker 2.4. After that, outside users can access inside resources according to policies; BUT inside user cannot!! The inside users need only www access, but take in account that my DNS is provided by my ISP. If I disable the firewall inside users are ok. Whith the firewall setup, if I point the browser to the site's IP I get the page.

Questions:

1)Which port is using the inside browser to acces my ISP's outside DNS to resolve the names? (udp/tcp domain:53?, udp nameserver:42? tcp whois:43?).

2)When applying the extended access list to the interfaces, I am getting only "ip access-group nnn in" (no ip access-group nnn out). So there is only filtering for incoming connections to the interfaces. Is this OK?? My inside users do not need to get their outgoing connections explicitly enabled?? OR, it is not necessary to configure any "ip access-group out" because ConfigMaker is in fact configuring "in" in every interface??

ConfigMaker makes setting up the firewall so easy that I cannot get where to look for the problem...

Thank You!!!!

Labels:
0 Helpful
5 Replies 5

mike
Level 1
Level 1

‎11-14-2001 04:03 PM

Luis,

I wouldn't use config maker. It's not good for these types of configs. Actually, it's not really good for anything.

Basically, if you've got the config set up properly, your inside hosts should be able to send DNS queries (destination port is UDP/53) and the responses to those queries will be allowed back in. You do need not specify what type of traffic can go out. You are basically concerned with "inspecting" the outgoing traffic as it passes through the outside interface. Once the traffic is inspected and it leaves the router, it dynamically adds an entry to an extended access-list that you applied to the outside interface to control inbound traffic.

Your ip inspect statement could have the following:

# config t

#(config) ip inspect name myfw udp

#(config) ip inspect name myfw tcp

These two protocol are often all you will need to tell the router to inspect. The udp statement will include UDP/53 DNS queries to work correctly, allowing you to browse the internet with names.

The only access-list statements you need would look like this:

#(config) access-list 101 deny tcp any any

#(config) access-list 101 deny udp any any

Tie it together with this on the outside interface:

#(config) int s0

#(config-int) ip access-group 101 in

#(config-int) ip inspect myfw out

This is the most basic IOS fw config.

good luck. for more info and alternate places to inspect and apply the access-list, see:

http://www.cisco.com/warp/public/110/32.html

mike kantowski

ccnp

0 Helpful

luis_capriles
Level 1
Level 1
In response to mike

‎11-16-2001 09:16 AM

HI mike,

I have worked out my access list without ConfigMaker and still have the same problem!! Wihtout the firewall, my inside users can access WWW, but with the firewall the cannot resolve the URL names, but can get the web page if an IP address is specified as URL...

Here is may ACL

interface FastEthernet 0

ip access-group 100 in

!

Interface Serial 2

ip access-group 102 in

!

!

no access-list 100

access-list 100 permit udp any eq rip any eq rip

access-list 100 permit tcp any any established

access-list 100 permit tcp any any eq 3389

access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 53

access-list 100 permit udp any any eq 53

!

!

no access-list 102

access-list 102 permit tcp any any established

access-list 102 permit tcp any myNet 0.0.0.31 eq 80

access-list 102 permit tcp any myNet 0.0.0.31 eq 3389

access-list 102 permit udp any myNet 0.0.0.31 eq 53

access-list 102 permit tcp any myNet 0.0.0.31 eq 53

!

Thats bacause I only want web and Windows Terminal Server emulation in and I only want to let out web

Also, my network is only 2 servers a 2 users, so I am NOT using NAT; so it is very simple...

Thank You!!!!!

0 Helpful

s.winters
Level 1
Level 1
In response to luis_capriles

‎11-20-2001 08:18 PM

It appears that your access-list 102 is missing a permit statement to allow udp return traffic. It would be something like:

access-list 102 permit udp any eq 53 myNet 0.0.0.31 gt 1023

This would be better secured by changing the "any" keyword to the IP address of the DNS server you are using.

0 Helpful

luis_capriles
Level 1
Level 1
In response to s.winters

‎11-21-2001 07:59 AM

Hi,

I tried your suggestion and it worked!!

Thank You!

0 Helpful

reswaran
Cisco Employee
Cisco Employee

‎11-20-2001 12:16 AM

Hi,

This is for your information. It seems like you are using an older version of ConfigMaker. Latest

version of ConfigMaker is ConfigMaker2.5.1. You can download it from

www.cisco.com/go/configmaker

Regards,

Ravikumar Eswaran.

0 Helpful
Customers Also Viewed These Support Documents