2921 router, acting as an NTP client and a DNS client. setting up NTP told me my ACL needs to allow NTP back from the NTP server into the interface. so i did the same thing with DNS. 10.160.12.135 is the IP of the local interface.
i want the router 10.160.12.135 to be able to do nslookups on a dns server 10.160.12.6
description mgmt interface
encapsulation dot1Q 207
ip address 10.160.12.135 255.255.255.192
ip access-group MGMT in
Extended IP access list MGMT
10 permit tcp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq 22 log (618 matches)
20 permit udp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq snmp log (228 matches)
30 permit udp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq ntp (4623 matches)
35 permit icmp 10.0.0.0 0.255.255.255 host 10.160.12.135 (33 matches)
50 permit udp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq domain (5 matches)
99 deny ip any any log (2858 matches)
if the access list is removed from the interface, DNS lookups work against my dns server 10.160.12.6. if the access list is applied IN on the interface, DNS lookups stop working. i can see the dns traffic from my router passing through my firewall to the dns server 10.160.12.6. this gets logged in the router:
Sep 21 10:21:22 Sierra: %SEC-6-IPACCESSLOGP: list MGMT denied udp 10.160.12.6(53) -> 10.160.12.135(58453), 1 packet
and the number of matches on 99 deny goes up.
why is "inbound" dns traffic not getting allowed by line 50 in my ACL?
The clue is actually in the SYSLOG message. Source Port is udp/53 (domain) destination port is 58453. Your ACL line number 50 is permitting destination port udp/50 not source port, so therefore this does not match and is dropped on line 99. You would need to amend rule line 50 with the source as udp/50 (domain) and don't specify the destination port.
seems odd to open up all UDP ports inbound just to make outbound DNS queries. but i'll buy it. i guess i can remove my SNMP and NTP specific ACL entries.
so the syntax is
50 permit udp 10.0.0.0 0.255.255.255 10.160.12.135
looking at the DNS section of cisco's "Configure Commonly Used IP ACLs"
what is the difference in these two syntaxes:
access-list 102 permit udp any any eq domain access-list 102 permit udp any eq domain any
and would they work for my scenario, why or why not?
Yes. The second line is essentially what I suggested - permit UDP from any source and source port 53 (domain) to any destination
This is permitting the return traffic from the DNS server (with the DNS response), which is what the error message in your original post was indicating.
the second line still has "domain" in it. i thought your suggestion was to remove domain, ie
permit udp 10.0.0.0 0.255.255.255 10.160.12.135
can you help me translate these to english in my head?
permit udp any any eq domain
i think means "permit udp 53 from any source to any destination"
permit udp any eq domain any
mean "permit any udp from any source and permit 53 to any destination?
My suggestion was to specify udp/50 as the source port not the destination port. Your destination port will be dynamic, so you'd have to leave it as any.
It means permit udp from any source network on port 50 to any destination.