这看起来很简单,但我肯定遗漏了一些东西。我有以下配置来阻止所有来自内部的、不会发往允许的外部 DNS 服务器的 DNS 请求。
access-list INSIDE-ACCESS-OUT extended permit udp any object open-dns1 eq domain
access-list INSIDE-ACCESS-OUT extended permit udp any object open-dns2 eq domain
access-list INSIDE-ACCESS-OUT extended permit tcp any object open-dns1 eq domain
access-list INSIDE-ACCESS-OUT extended permit tcp any object open-dns2 eq domain
access-list INSIDE-ACCESS-OUT extended deny udp any any eq domain
access-list INSIDE-ACCESS-OUT extended deny tcp any any eq domain
access-list INSIDE-ACCESS-OUT extended permit ip any any
access-group INSIDE-ACCESS-OUT out interface inside
DNS 仍然可以到达任何服务器,并且数据包跟踪器不会显示 ACL 被命中。
答案1
您的 ACL 被反向应用。您将其应用于从内部接口发出的数据包(从互联网到内部主机)。这应该可以解决问题:
no access-group INSIDE-ACCESS-OUT out interface inside
access-group INSIDE-ACCESS-OUT in interface inside