1752732
Members
6124
Online
108789
Solutions
SOLVED
Hi doubleH,
One piece in the RACL that might be causing an issue is the: deny in ip from any to 192.167.77.0/24.
You have this entry before the line: permit in ip from any to 192.167.77.254/24.
I would expect the deny for the 192.167.77.0 network to occur first, so the permit statement to your firewall would never be invoked.
So, you might try putting the permit statement with the specific address of your firewall before the deny statement to the 192.167.77.0/24 network.
Since your DNS servers are 4.2.2.1 and 4.2.2.2, I'm not sure this will fix the DNS problem, but that is the only deny statement I see with hit counter increments. It also looks like the last line of the ACL is a permit any any, so my guess would be the issue is somehow tied to that deny statement.
Hope that helps.
Regards,
Jarret
One piece in the RACL that might be causing an issue is the: deny in ip from any to 192.167.77.0/24.
You have this entry before the line: permit in ip from any to 192.167.77.254/24.
I would expect the deny for the 192.167.77.0 network to occur first, so the permit statement to your firewall would never be invoked.
So, you might try putting the permit statement with the specific address of your firewall before the deny statement to the 192.167.77.0/24 network.
Since your DNS servers are 4.2.2.1 and 4.2.2.2, I'm not sure this will fix the DNS problem, but that is the only deny statement I see with hit counter increments. It also looks like the last line of the ACL is a permit any any, so my guess would be the issue is somehow tied to that deny statement.
Hope that helps.
Regards,
Jarret
Hi DoubleH,
Well, it looks like the first ACE for the permit UDP to your DNS server is getting hits, but I'm not sure why DNS would not be working at this point.
Sorry if this is re-hashing what you were discussing about adding entries in the host file, but would it be possible to either temporarily remove the ACL or just put in a first line ACE of permit any any to verify the root issue is the ACL?
From what I see in the latest data, since we are getting hit counters on the permit for the UDP to 4.2.2.1, I would expect this to work...
Maybe one other test thought: From the test clients, can we try testing DNS via an NSlookup to see if ip addresses are resolving to names and vice-versa?
Well, it looks like the first ACE for the permit UDP to your DNS server is getting hits, but I'm not sure why DNS would not be working at this point.
Sorry if this is re-hashing what you were discussing about adding entries in the host file, but would it be possible to either temporarily remove the ACL or just put in a first line ACE of permit any any to verify the root issue is the ACL?
From what I see in the latest data, since we are getting hit counters on the permit for the UDP to 4.2.2.1, I would expect this to work...
Maybe one other test thought: From the test clients, can we try testing DNS via an NSlookup to see if ip addresses are resolving to names and vice-versa?
Hi DoubleH,
How about we just have permit statements that only allow guest access to 192.168.77.0 for DNS?
I believe DNS uses TCP and UDP port 53, so in our ACL, I think we could just have permit statements allowing TCP/UDP from your guest network to 192.168.77.0/24 eq 53. Then we would follow this statement with a deny for anything else from the guest network to the 192.168.77.0/24 network.
How about we just have permit statements that only allow guest access to 192.168.77.0 for DNS?
I believe DNS uses TCP and UDP port 53, so in our ACL, I think we could just have permit statements allowing TCP/UDP from your guest network to 192.168.77.0/24 eq 53. Then we would follow this statement with a deny for anything else from the guest network to the 192.168.77.0/24 network.
Hi DoubleH,
Glad to see it looks like you have things working now. I was about to respond to your last message that the deny any any was probably restricting too much (such as DHCP no longer getting through). However, with the more specific deny statements specifying particular subnets with the permit any any at the end, works a little better.
The only security issue that could arise would be if there is a subnet present that you have not defined in your deny statements. Otherwise, I think it would be ok.
My only other thought would be looking at the ACL a little differently. If the purpose of the ACL is to limit guest users to only have Internet access (and also DNS and DHCP for functionality), then we could have an access list that looked something like this (assuming 192.168.78.0/24 is guest network):
permit in udp from 192.168.78.0/24 to any 53
permit in tcp from 192.168.78.0/24 to any 53
permit in tcp from 192.168.78.0/24 to any 80 (http)
permit in udp from 192.168.78.0/24 to any 68 (DHCP client I believe)
deny in ip from 192.168.78.0/24 to any (this should block guest network from accessing anything else other the DNS, HTTP, and DHCP).
permit in ip from any to any
This is just a little different way of setting up the ACL, not necessarily any better than what you have. Other folks may have input on how they would like to set it up as well...
Regards,
Jarret
Glad to see it looks like you have things working now. I was about to respond to your last message that the deny any any was probably restricting too much (such as DHCP no longer getting through). However, with the more specific deny statements specifying particular subnets with the permit any any at the end, works a little better.
The only security issue that could arise would be if there is a subnet present that you have not defined in your deny statements. Otherwise, I think it would be ok.
My only other thought would be looking at the ACL a little differently. If the purpose of the ACL is to limit guest users to only have Internet access (and also DNS and DHCP for functionality), then we could have an access list that looked something like this (assuming 192.168.78.0/24 is guest network):
permit in udp from 192.168.78.0/24 to any 53
permit in tcp from 192.168.78.0/24 to any 53
permit in tcp from 192.168.78.0/24 to any 80 (http)
permit in udp from 192.168.78.0/24 to any 68 (DHCP client I believe)
deny in ip from 192.168.78.0/24 to any (this should block guest network from accessing anything else other the DNS, HTTP, and DHCP).
permit in ip from any to any
This is just a little different way of setting up the ACL, not necessarily any better than what you have. Other folks may have input on how they would like to set it up as well...
Regards,
Jarret