Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
0
Helpful
7
Replies

ACL as Firewall?

divadko
Level 1
Level 1

‎09-07-2021 02:07 PM

Hi all,

 

i want to protect my recursive DNS server (unbound) that is connected to routed interface on switch.

 

I applyed this ACL rule as output, but the resolving on server stopped resolving after few seconds. The connection to server and ping to internet was ok.

 

Extended IP access list DNS_TEST_1
10 permit ip (OUR AS) 0 0.0.7.255 host x.x.x.x (2 matches)
20 permit tcp any any established (2 matches)
30 permit icmp any any echo
40 permit icmp any any echo-reply (1 match)
50 permit udp any any eq domain (2 matches)
60 permit tcp any any eq domain
70 deny ip any any (8 matches)

 

Is there any way to protect the server without using hw firewall? Only with acl?

I have a felling that acl in catalyst switches cant trace estamblished packets from server to internet and pass the answer thru the ACL via output port.

 

i am trying to do it on catalyst 4506e sup 7

 

thank you for help

 

dave

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎09-07-2021 02:14 PM

Can you post full ACL config., the ACL you mentioned going out, how about coming in ?

 

example :

 

ip access-list BBDNS-IN
permit udp 8.8.8.8/32 192.168.10.1/32 eq domain

ip access-list BBDNS-OUT
permit udp 192.168.10.1/32 eq domain 8.8.8.8/32

 

int vlan 99  or Interface gi x/x
ip access-group BBDNS-IN in
ip access-group BBDNS-OUT out

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

divadko
Level 1
Level 1
In response to balaji.bandi

‎09-07-2021 02:28 PM

Hi,

 

i dont use any rule for "IN" so in direction is not filtered.

 

But... i just added few more lnes to accep answer from pubic recursive server that unbound using like this:

 

70 permit ip host 8.8.8.8 any (3 matches)
80 permit ip host 8.8.4.4 any (3 matches)
90 permit ip host 37.235.1.174 any
100 permit ip host 37.235.1.177 any
110 permit ip host 50.116.23.211 any
120 permit ip host 64.6.64.6 any
130 permit ip host 64.6.65.6 any
140 permit ip host 74.82.42.42 any (3 matches)
150 permit ip host 84.200.69.80 any
160 permit ip host 84.200.70.40 any
170 permit ip host 91.239.100.100 any
180 permit ip host 109.69.8.51 any
190 permit ip host 208.67.222.220 any (3 matches)
200 permit ip host 208.67.222.222 any (3 matches)
210 permit ip host 216.146.35.35 any (3 matches)
220 permit ip host 216.146.36.36 any (3 matches)
230 deny ip any any (9 matches)

 

 

And it looks it is working.... wou...

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to divadko

‎09-07-2021 02:32 PM - edited ‎09-07-2021 02:33 PM

So you are allowed more Granular with the host with any should work.

 

glad all working as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎09-07-2021 02:41 PM

Hello,

 

add the lines marked in bold to your access list below inbound, that should allow all DNS:

 

Extended IP access list DNS_TEST_1
10 permit ip (OUR AS) 0 0.0.7.255 host x.x.x.x
20 permit tcp any any established
30 permit icmp any any echo
40 permit icmp any any echo-reply
50 permit udp any any eq domain
60 permit udp any eq domain any
70 permit tcp any any eq domain
80 permit tcp any eq domain any
90 deny ip any any

0 Helpful

divadko
Level 1
Level 1
In response to Georg Pauwen

‎09-07-2021 02:48 PM

Hello,

 

i dont think this isa good idea... becouse i allow all packet from any host to my DNS...

 

My unboud is using only thisrecursive DNS, so i dont think that i need to receive pacther from different  dns server..

 

Second think is that if my dns server send packet to public recursive dns, the dst port is 53, but the receiving port sould not be 53 it woll not work i think

 

here is my config from unbound:

forward-zone:
name: "."
forward-addr: 8.8.4.4 # Google
forward-addr: 8.8.8.8 # Google
forward-addr: 37.235.1.174 # FreeDNS
forward-addr: 37.235.1.177 # FreeDNS
forward-addr: 50.116.23.211 # OpenNIC
forward-addr: 64.6.64.6 # Verisign
forward-addr: 64.6.65.6 # Verisign
forward-addr: 74.82.42.42 # Hurricane Electric
forward-addr: 84.200.69.80 # DNS Watch
forward-addr: 84.200.70.40 # DNS Watch
forward-addr: 91.239.100.100 # censurfridns.dk
forward-addr: 109.69.8.51 # puntCAT
forward-addr: 208.67.222.220 # OpenDNS
forward-addr: 208.67.222.222 # OpenDNS
forward-addr: 216.146.35.35 # Dyn Public
forward-addr: 216.146.36.36 # Dyn Public

 

to i hope my fonfig will solve this...

 

in this case i probably dont need this lines:

 

50 permit udp any any eq domain (2 matches)
60 permit tcp any any eq domain

0 Helpful

Georg Pauwen
VIP
VIP
In response to divadko

‎09-07-2021 03:36 PM

Hello,

 

your 'working' solution is not filtering anything at all, because you are allowing the entire IP protocol stack, that is why it is 'working'. Your original post asks how you can allow DNS traffic, and your initial access list had 'any any' configured, so there is no way for us to know which specific hosts you want to allow. If you tell us which host IP addresses exactly you want to allow, we can give you a more specific answer...

0 Helpful

divadko
Level 1
Level 1
In response to Georg Pauwen

‎09-08-2021 12:22 AM

I am allowing IP protocol only from trusted network.

The rest will allow only packets from recursive servers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card