Solved: ACL to allow only DNS and DHCP Access

Andy Emerine · ‎04-29-2024

It looks like there are a few posts on this in the community but I'm not able to allow DNS services to devices through an ACL. I'm working on the guest and IoT vlans and only want to allow them to receive network config settings from the DHCP server and be able to access the internet. Devices on this network are using my internal DNS server. The DHCP ACL setting works fine. DNS seems to reply on different ports so I've had to grant access to any port of the DNS server. I've tried the following, but have had to add "permit ip host 10.55.1.1 any" which I do not want to do. The router is a WS-C3850-12XS-S

10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain log
21 permit tcp any any eq domain log
22 permit tcp any any eq www log
23 permit tcp any any eq 443 log

pman · ‎04-29-2024

Hi,

did you applied the ACL as inbound?

if so, here's how to AllowDNS:

R1

hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit udp any any eq domain
access-list 102 permit udp any eq domain any
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

View solution in original post

MHM Cisco World · ‎04-29-2024

What are other ports DNS use??

MHM

Andy Emerine · ‎04-29-2024

Apr 26 10:39:31: %SEC-6-IPACCESSLOGP: list 2090 permitted tcp 10.55.20.50(50516) -> 10.55.1.1(53), 1 packet
Apr 26 10:39:32: %SEC-6-IPACCESSLOGP: list 2090 permitted udp 10.55.20.50(59389) -> 10.55.1.1(53), 1 packet
Apr 26 10:39:33: %SEC-6-IPACCESSLOGP: list 2090 permitted udp 10.55.20.50(60826) -> 10.55.1.2(53), 1 packet
Apr 26 10:39:34: %SEC-6-IPACCESSLOGP: list 2090 permitted udp 10.55.20.50(60826) -> 10.55.1.2(53), 1 packet

MHM Cisco World · ‎04-29-2024

That normal

10.55.1.1(53) is your server

And other IP and it port is User IP and unknown port it use to connect to server.

You can control to which port the DNS traffic go but you can not control from which port this traffic come from.

Your ACL is OK and what you see is log of permit line of ACL.

MHM

balaji.bandi · ‎04-29-2024

below should work :

permit icmp any any
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any eq www any
permit tcp any eq 443 any
permit tcp any any eq domain

permit udb any any eq domain
deny ip any any log

permit ip host 10.55.1.1 any - is this for single host ? what IP is this ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Andy Emerine · ‎04-29-2024

10.55.1.1 is one of the DNS servers. I add a rule for each server.

Andy Emerine · ‎04-29-2024

I still can't get to the internet with the following.

Extended IP access list IoT_ACL
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain log
21 permit tcp any any eq domain log
23 permit tcp any eq www any
24 permit tcp any eq 443 any
30 deny ip 10.55.0.0 0.0.3.255 any log (28259 matches) (This IP range is the VLAN the DNS server is on)

MHM Cisco World · ‎04-29-2024

Make DNS work not need that you ca access internet'

To access internet ypu need to permit ip any any' becuase ypu done know what Destiantion IP the user will use to access internet.

I think you need here not ACL ypu need zone firewall or FW to access internet safety with this ACL and permit ip any any in end you can not secure access internet.

MHM

pman · ‎04-29-2024

Hi,

did you applied the ACL as inbound?

if so, here's how to AllowDNS:

R1

hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit udp any any eq domain
access-list 102 permit udp any eq domain any
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html