一千萬個為什麽

搜索

cisco路由器源範圍在ACL中不起作用

當我向訪問列表添加源網絡範圍以嘗試使用nslookup解析DNS查詢時,連接會返回超時:

access-list 100 permit udp 192.168.3.0 0.0.0.255 host (host ip of dns) eq domain

然而,如果我添加“ip any any”,流量通過正常..

access-list 100 permit ip any any 

我不明白為什麽會發生這種情況。

配置文件:

version 15.1
parser config cache interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 16384 informational
no logging console
no logging monitor
!
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication login local_auth local
aaa authorization exec default local if-authenticated
!
!
!
!
!
aaa session-id common
!
clock timezone GMT 0 0
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip options drop
ip cef
!
!
no ip bootp server
ip domain name xxxMaskedxxx
ip name-server xxxMaskedxxx
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect dns-timeout 30
ip inspect name a1 udp
ip inspect name a1 tcp
ip inspect name a1 dns
ip inspect name a1 http
ip inspect name a1 https
ip inspect name a1 ntp
ip inspect name b2 tcp
ip inspect name b2 udp
ip inspect name b2 http
ip inspect name b2 https
ip inspect name b2 dns
ip inspect name b2 ntp
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable
!
crypto pki token default removal timeout 0
!  
!
license udi pid CISCO2921/K9 sn xxxMaskedxxx
!
!
archive
log config
logging enable
! 
redundancy
!
!
ip ssh version 2
!
!
interface Loopback0
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
description Internal Lan
ip address 192.168.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description internet
ip address 172.18.19.2 255.255.255.0
ip access-group 102 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect b2 out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/2
description other services
ip address 172.17.31.2 255.255.255.0
ip access-group 102 in
ip access-group 100 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect a1 out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT1 interface GigabitEthernet0/1 overload
ip nat inside source route-map NAT2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 172.18.19.1
ip route 10.xx.xx.16 255.255.255.255 GigabitEthernet0/2 172.17.31.1

Lots of IP Routes

ip route 212.xxx.xxx.5 255.255.255.255 GigabitEthernet0/2 172.17.31.1
! 
!
logging facility local2
logging source-interface Loopback0
access-list 20 permit 192.168.3.0 0.0.255.255
access-list 100 permit udp 192.168.3.0 0.0.0.255 host IP MASKED dns2 eq domain
 access-list 100 permit udp 192.168.3.0 0.0.0.255 host IP MASKED dns2 eq domain
 access-list 101 permit ip any any
 access-list 102 deny   ip any any
 !
 no cdp run
 !
 !
 !
 route-map NAT2 permit 10
 match ip route-source 20
 match interface GigabitEthernet0/2
 set ip next-hop 172.16.31.1
 !
 route-map NAT1 permit 10
 match ip address 101
 match interface GigabitEthernet0/1
 set ip next-hop 172.18.19.1
 !
 !
 !
 control-plane
 !
 !
 line con 0
 exec-timeout 5 0
 logging synchronous
 login authentication local_auth
 transport preferred none
 transport output none
 escape-character 3
 line aux 0
 exec-timeout 0 1
 login authentication local_auth
 no exec
 transport output none
 line 2
 exec-timeout 15 0
 logging synchronous
 login authentication local_auth
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output none
 stopbits 1
 line vty 0 4
 login authentication local_auth
 transport input none
 !
 exception memory ignore overflow processor
 exception memory ignore overflow io
 end

最佳答案

暫時沒有最佳答案

轉載註明原文: cisco路由器源範圍在ACL中不起作用