11-27-2018 10:12 AM - edited 02-20-2020 09:45 PM
Hello All,
Device: ISR4321
IOS-XE: 3.16.5.S
I have an access-list for our Guest Wi-Fi on the ISR that I now need to give access to our internal DNS Servers, because the ISE Server's hostname needs to be resolved for the Captive Guest Portal redirect. We were originally just using Google DNS servers...
Besides changing the DHCP Pool's DNS Server addresses to our internal ones. What lines are actually needed in the ACL to permit the Guest Wi-Fi clients to hit our internal DNS servers? I currently have the following, is this enough?
access-list 150 permit udp any any eq domain access-list 150 permit tcp any any eq domain access-list 150 permit tcp any host <primary-ise-ip> eq 8443 access-list 150 permit tcp any host <secondary-ise-ip> eq 8443
I had found this page on cisco.com. The page shows this access-list below to allow DNS traffic, which has 2 extra lines from what I have above. I assume the other 2 lines are for the returning traffic..?
access-list 112 permit udp any any eq domain access-list 112 permit tcp any any eq domain access-list 112 permit udp any eq domain any access-list 112 permit tcp any eq domain any
Do I need those other 2 lines?
Also, is there any benefit in specifying the DNS server's IP Addresses (*we have 2 dns servers) instead of using "any" for the source/destination?
Thanks in Advance,
Matt
11-27-2018 10:46 AM
11-27-2018 11:13 AM
Hey, thanks for the reply, much appreciated.
I guess I should have mentioned this in the OP... So the ACL in question is applied with a Policy/Class-Map. Basically, this is a remote branch office, which has a WAN connection on the Serial Port back to the HQ office where the DNS Servers are located. So technically there's a second ACL for return traffic. Sorry I didn't mention that.
Here's the configuration, using the DNS Host IPs instead of "any". Can you let me know if this looks correct to you?
class-map type inspect match-any PUBWIFI_WAN match access-group 150 class-map type inspect match-any WAN_PUBWIFI match access-group 160 ! !...... ! policy-map type inspect WAN_PUBWIFI-Policy class type inspect WAN_PUBWIFI pass class class-default drop log policy-map type inspect PUBWIFI_WAN-Policy class type inspect PUBWIFI_WAN pass class class-default drop log ! !...... ! zone security PUBWIFI zone security WAN zone-pair security PUBWIFI-WAN source PUBWIFI destination WAN service-policy type inspect PUBWIFI_WAN-Policy zone-pair security WAN-PUBWIFI source WAN destination PUBWIFI service-policy type inspect WAN_PUBWIFI-Policy ! !...... ! access-list 150 permit udp any host <dns-server-1> eq domain access-list 150 permit tcp any host <dns-server-1> eq domain access-list 150 permit udp any host <dns-server-2> eq domain access-list 150 permit tcp any host <dns-server-2> eq domain access-list 150 permit tcp any host <primary-ise-ip> eq 8443 access-list 150 permit tcp any host <secondary-ise-ip> eq 8443 access-list 160 permit udp host <dns-server-1> eq domain any access-list 160 permit tcp host <dns-server-1> eq domain any access-list 160 permit udp host <dns-server-2> eq domain any access-list 160 permit tcp host <dns-server-2> eq domain any access-list 160 permit ip host <primary-ise-ip> any access-list 160 permit ip host <secondary-ise-ip> any
Does that all look correct?
Also, if you don't think the tcp ones for DNS are necessary, I'll remove them. I was just going off that DNS example from the link in my original post.
Thanks Again,
Matt
11-27-2018 11:39 AM
Ah ok, you are using ZBFW. That is a stateful firewall, so if you permit traffic outbound it should dynamically allow the return traffic. Therefore I don't believe you need to specify it.
HTH
11-27-2018 12:38 PM
So do you mean I don't need to specify the return traffic for DNS in the ACL 150? I still need to specify it in ACL 160 though, right?
Also, we are upgrading our Domain servers soon so the address is going to change. So I'm going to try using an object-group for the DNS Servers (*and ISE Server addresses) so I only need to modify the address in one place. I haven't used object-groups before, but from some of what I saw in other posts (*correct me if I'm wrong) I believe I use the "network" option, *i.e. "object-group network <WORD>"
I didn't change anything in the Policy/Class-Maps, as shown in my previous post. But, I'll modify the ACL to look like the following:
! object-group network DNS-Servers description Internal DNS Servers host 10.30.5.35 host 10.40.1.3 ! object-group network ISE-Servers description Cisco ISE - PSN Servers host 10.30.2.49 host 10.40.10.49 ! !.... ! access-list 150 permit udp any object-group DNS-Servers eq domain access-list 150 permit tcp any object-group DNS-Servers eq domain access-list 150 permit tcp any object-group ISE-Servers eq 8443 access-list 160 permit udp object-group DNS-Servers eq domain any access-list 160 permit tcp object-group DNS-Servers eq domain any access-list 160 permit tcp object-group ISE-Servers any !
So in ACL 150 I'm covering traffic FROM the Guest client TO the DNS-Servers, as well as tcp traffic on port 8443 TO the ISE-Servers.
Then, in ACL 160 (*the return traffic), I'm permitting traffic FROM the DNS-Servers TO the Guest clients, as well as allowing ANY tcp traffic FROM the ISE-Servers TO the Guest clients.
Do you see anything wrong with that configuration above?
Thanks again for your help, much appreciated!
-Matt
11-27-2018 12:58 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: