ACL Permit/Deny Question

[gparrish]

We have our external routers locked down so no packets can hit the router without being permited such as NTP, telnet etc.

I just enabled the router with a name server to do DNS resolution for any ping troubleshooting. I turned on a basic debug to track the conversation with the DNS server. I got the permit line in for the DNS to the router and it worked fine and resolved names and all. After this I noticed from the debug that the router was now blocking other DNS queries from inside the network to the same DNS server.

The bottom of the ACL has the 'permit ip any any' statement so I am not sure why this happened. Do I need to add a 'permit udp any any' statement to correct this or what? I assume that maybe when I had this entry some implicit deny gets turned on for udp 53 or something.

Thanks,
Greg

 

[gparrish]

Okay I think I got this (DNS Denied) while I was pasting in the multi-line ACL or right after. I tested it from the inside and it worked now and I am not getting any more of these message either. I am doing all this remotely so I wanted to make sure.

Looks like the ip any any lets the remaining UDP in as planned.

Thanks,
Greg