这似乎很简单,但我必须失去一些东西。 我有以下configuration来阻止所有的DNS请求从内部不会去允许的外部DNS服务器。
access-list INSIDE-ACCESS-OUT extended permit udp any object open-dns1 eq domain access-list INSIDE-ACCESS-OUT extended permit udp any object open-dns2 eq domain access-list INSIDE-ACCESS-OUT extended permit tcp any object open-dns1 eq domain access-list INSIDE-ACCESS-OUT extended permit tcp any object open-dns2 eq domain access-list INSIDE-ACCESS-OUT extended deny udp any any eq domain access-list INSIDE-ACCESS-OUT extended deny tcp any any eq domain access-list INSIDE-ACCESS-OUT extended permit ip any any access-group INSIDE-ACCESS-OUT out interface inside DNS仍然可以到达任何服务器,并且数据包跟踪器不显示ACL被命中。
您的ACL被反向应用。 你正在将它应用到从内部接口(从互联网到你的内部主机)的数据包。 这应该解决它:
no access-group INSIDE-ACCESS-OUT out interface inside access-group INSIDE-ACCESS-OUT in interface inside