Access List trouble!

[ChrisAC]

I having access list issues that I'm hoping someone can help me with. I'm missing something obvious!!

I'm putting an access list on the inbound serial interface of an internet facing router for a customer. All this customers mail gets forwarded to message labs for virus checking and all mail to the domain now comes via message labs, so we were asked to filter incoming packets to ensure that only mail from message labs addresses could come in on port 25. So, I applied the following ACL:

permit tcp any 111.222.333.444 0.0.0.3 established
permit udp any 111.222.333.444 0.0.0.3 gt 1023
permit tcp any 111.222.333.444 0.0.0.3 gt 1023
permit tcp 193.109.254.0 0.0.0.15 host 111.222.333.444 eq smtp
permit tcp 212.125.75.16 0.0.0.7 host 111.222.333.444 eq smtp
permit tcp 195.216.16.0 0.0.0.255 host 111.222.333.444 eq smtp
permit icmp any 111.222.333.444 0.0.0.3
permit tcp any 111.222.333.444 0.0.0.3 eq telnet
permit tcp any host 111.222.333.444 eq 443

Note, I'm hiding the real address of the customer!!

So, I'm allowing all established TCP connections from the inside and all incoming ports above 1023 for server to client connections. I've allowed smtp from messagelabs and icmp and https from anywhere.

Now, everything is fine apart from a problem with the proxy behind the router. When the access list is applied to the router, the proxy can't resolve hosts to IP addresses. It looks as though it's blocking the incoming DNS information, despite the fact that all established connections are allowed through and UDP ports above 1023 are allowed in. The funny thing is that if I ping from the router, say ping

http://www.sun.com,

it resolves the IP. If I do the same from the proxy it can't resolve. As soon as I take the ACL off the router the proxy can resolve again.

Am I missing something?

Chris.


************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[wybnormal]

DNS is UDP port 53.. so if you are blocking everything up to 1023 and then allowing 1024 UDP and up, it's not going to work.

A second thing to remember is that with UDP, you need to enable some type of forwarding.. ie.. ip helper-address or the ip forward-protocol for port 53

MikeS
Find me at

http://www.packetattack.com

"The trouble with giving up civil rights is that you never get them back"

 

[ChrisAC]

This is an inbound access list on the external interface so port 53 doesn't need to be allowed in. Port 53 is allowed out (ie. the proxy DNS request) and the incoming traffic from the DNS server will have a destination port greater than 1023 (ie. the proxy source port). The DNS server won't send packets back to the client on port 53!! So, this still doesn't explain why it's not working or why DNS works from the router but not from the proxy!!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[nosey]

Access lists don't apply to traffic originating from the router.

 

[marsd]

actually if you will check your dns servers, depending on
what dns software they are running, and the version, you may notice a bound listener on a high port(bind 8.2.x+), as
the chrooted bindD can only bind unprivileged ports.
So this may be part of your problem.

 

[ChrisAC]

Thanks guys but I solved this one a while ago! Wybnormal was right about port 53 being blocked.

The proxy product that was sitting between my laptop and the router was also acting as a DNS cache engine. So, instead of my request going to the DNS server with a source port above 1023, the proxy made the request with a source port of 53 and so the reply from the DNS server on destination port 53!

Problem solved! Phew!

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************