Solved: Need help on IP Access-list

Sukanta Biswas · ‎08-28-2011

Hi,

Is there anyone can advice on the following:?

Source add: 192.168.29.30 (application)

destination add: 192.168.25.17 (Domain controller)

Port: 53

there is only one outbound IP access-list applied on source vlan. How can i allow the DNS traffic from the above mentioned source to destination? Would that be like this below?

permit tcp host 192.168.25.17 eq domain host 192.168.29.30

permit udp host 192.168.25.17 eq domain host 192.168.29.30

or

permit ip host 192.168.25.17 any

any advice would be greatly appreciated...

Regards

Sukanta

Jon Marshall · ‎08-28-2011

Sukanta

You are right as long as the access-list is applied outbound on the L3 vlan interface for the 192.168.29.0/24 subnet.

DNS can use either UDP or TCP. Generally it uses UDP which is by far the commonest but if the reply is too long it can use TCP.

Jon

View solution in original post

ameya_oke · ‎08-28-2011

Hi Sukanta,

Your concern is the reverse packet as ACL is applied in out direction on LAN.

Reverse Packet:

Source: 192.168.25.17

Destination: 192.168.29.30

Port: NA(any random, and not 53)

so below ACL wont work as reverse packet with source 192.168.25.17, dest port wont be 53 rather it would be a random port.

"permit tcp host 192.168.25.17 eq domain host 192.168.29.30

permit udp host 192.168.25.17 eq domain host 192.168.29.30"

Again if you use " permit ip host 192.168.25.17 any" all traffic from DNS is open for accessing ur LAN 192.168.25.0/24 and other subnets as well, which is not efficient

Solution:Use specific host matching clause in ACL.

permit ip host 192.168.25.17 host 192.168.29.30.

Kindly provide your rating only if it help fully.

Ameya

Sukanta Biswas · ‎08-28-2011

Hi Ameya,

Thank you very much for your advice.

On my access-list I am actually allowing reverse traffic from 192.168.25.17 (with source port 53) to 192.168.29.30 (With random port) using the below entry

permit tcp host 192.168.25.17 eq 53 (source port) host 1092.168.29.30 (using random port)

Am i not right? little confused. Please suggest.

Regards

Sukanta

Jon Marshall · ‎08-28-2011

Sukanta

You are right as long as the access-list is applied outbound on the L3 vlan interface for the 192.168.29.0/24 subnet.

DNS can use either UDP or TCP. Generally it uses UDP which is by far the commonest but if the reply is too long it can use TCP.

Jon

Jon Marshall · ‎08-28-2011

Ameya

so below ACL wont work as reverse packet with source 192.168.25.17, dest port wont be 53 rather it would be a random port.

"permit tcp host 192.168.25.17 eq domain host 192.168.29.30

but the acl line above is not specfying a destination port of 53. It is saying -

allow traffic from 192.168.25.17 from port 53 to the host 192.168.29.30 to any random port. Which is correct because the source port from the domain controller for DNS query will be port 53.

Jon

ameya_oke · ‎08-28-2011

Cisco support community is amazing, within a week many of my misconceptions are removed.

Thanks Jon for your valuable inputs.

Ameya

Jon Marshall · ‎08-28-2011

Ameya

Yes, that's one of the reasons i contribute to CSC as well, you always keep learning

Jon

ameya_oke · ‎08-28-2011

Also I believe most importantly CSC helps one improve the skill of framing a question.

Technical writing is one aspect which even the most technically sound professionals find difficult.

I guess half the battle is lost if the question can not be understood.

Anyways,Thank you so much!!

Ameya.

Sukanta Biswas · ‎08-29-2011

Thank you so much both of you. Yes, Jon is right. I think CSC is one of best forum to learn..

Thanks guys.

cheers

sukanta