0

This seemed simple enough but I have to be missing something. I have the following config to block all DNS request from the inside that are not going to the allowed external DNS server.

access-list INSIDE-ACCESS-OUT extended permit udp any object open-dns1 eq domain
access-list INSIDE-ACCESS-OUT extended permit udp any object open-dns2 eq domain
access-list INSIDE-ACCESS-OUT extended permit tcp any object open-dns1 eq domain
access-list INSIDE-ACCESS-OUT extended permit tcp any object open-dns2 eq domain
access-list INSIDE-ACCESS-OUT extended deny udp any any eq domain
access-list INSIDE-ACCESS-OUT extended deny tcp any any eq domain
access-list INSIDE-ACCESS-OUT extended permit ip any any

access-group INSIDE-ACCESS-OUT out interface inside

DNS can still get out to any server and packet tracer doesn't show the ACL being hit.

evolvd
  • 1,384
  • 6
  • 33
  • 58

1 Answers1

2

Your ACL is applied backwards. You're applying it to packets going out the inside interface (From the internet to your internal hosts). This should fix it:

no access-group INSIDE-ACCESS-OUT out interface inside
access-group INSIDE-ACCESS-OUT in interface inside
resmon6
  • 1,352
  • 6
  • 8