cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
450
Views
0
Helpful
3
Replies

IP Access-group DNS problems

Adam Coombs
Level 1
Level 1

Hello need more help with my project please. I have a vlan inside our network, this vlan can only access a few resources. I was using the big network DNS server for internet access but that has change, they are adding a DC and Exchange server on this vlan. So I need to get the DC to access public dns server like 8.8.8.8 (google). 
I can not get this to work 

Here is my config 

interface Vlan888
 description VLAN 888 - PROJECT test
 ip address 10.88.70.250 255.255.255.0
 ip access-group TEstIN in
 ip helper-address 10.88.70.50
standby 1 ip 10.88.70.254 
standby 1 priority 200 
standby 1 preempt 
standby 1 authentication XXXXX

 Extended IP access list TEstIN
    10 permit ip 10.88.70.0 0.0.0.255 10.88.70.0 0.0.0.255 log 
    15 permit ip 10.88.70.0 0.0.0.255 host 10.70.0.1 log 
    16 permit ip host 10.70.0.1 10.88.70.0 0.0.0.255 log
    20 permit ip 10.88.70.0 0.0.0.255 10.99.10.0 0.0.0.255 log 
    21 permit ip 10.88.70.0 0.0.0.255 10.99.11.0 0.0.0.255 log
    35 permit tcp any any eq www log 
    36 permit tcp any any eq 443 log 
    37 permit tcp any eq www any log
    38 permit tcp any eq 443 any log
    40 permit tcp any any eq domain log
    41 permit tcp any eq domain any log
    42 permit udp any any eq domain log (1596 matches)
    43 permit udp any eq domain any log
    60 deny ip any any 

DC IP config 
IP      10.88.70.50
Subnet  255.255.255.0
Gateway 10.88.70.254
DNS 8.8.8.8

 

you can see i am getting hits on my DNS acl line.

When I try to do a nslookup fails, ping fails. 

Please Help

 

3 Replies 3

Walter Astori
Level 1
Level 1

I think that the DNS traffic tcp and udp can pass but you must add the permit ip any any for icmp

well, i found the issue I was having was with the Firewall that everyone is behind 

I just need to allow the DC(ip address) to 8.8.8.8 

had to make inside access rule 

 

 

Tagir Temirgaliyev
Spotlight
Spotlight

where is nat ? you can not go to google dns from local network address