ACL question

Answered Question
Aug 8th, 2007

I have an acl to get all users out to the internet-

access-list Internet_access_out tcp_group_internet_access

access-list Internet_access_out extended permit tcp any any object-group internet_test

access-list Internet_access_out extended permit tcp any any eq www

access-list Internet_access_out extended permit tcp any any eq domain

access-list Internet_access_out extended permit tcp any any eq https

access-list Internet_access_out extended permit tcp any any eq ftp

access-list Internet_access_out extended permit tcp any any eq citrix-ica

access-list Internet_access_out extended permit tcp any any range 2095 2095

access-list Internet_access_out extended permit tcp any any range 9100 9100

When I change the source (any) to the ip address of the proxy server, I get an error message.

4 Aug 08 2007 09:25:29 106023 10.132.129.30 65.54.152.126 Deny tcp src inside:10.132.129.30/50285 dst outside:65.54.152.126/80 by access-group "Internet_access_out" [0x0, 0x0]

I would appreciate any help. Thanks.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 4 months ago

Or apply the acl in interface inside instead.

Correct Answer by Jon Marshall about 9 years 4 months ago

Mike

What happens if you use the Natted address in your access-list ie x.x.x.207 instead of the 10.132.29.30 address ?

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Wed, 08/08/2007 - 07:43

So you made it like this...

access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www

and you receive the Deny message above?

acomiskey Wed, 08/08/2007 - 07:54

Well that doesn't make sense does it? Sure that you put "host 10.132.129.30 any" and not "any host 10.132.129.30"? How is the acl applied?

mike.feeney Wed, 08/08/2007 - 08:06

I just changed it to this-

access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www

Here is the error message-

4 Aug 08 2007 12:08:26 106023 10.132.129.30 199.181.132.250 Deny tcp src inside:10.132.129.30/52112 dst outside:199.181.132.250/80 by access-group "Internet_access_out" [0x0, 0x0]

mike.feeney Wed, 08/08/2007 - 08:16

A little more info-

TFBPCiscoASA(config)# sh run access-g

access-group dbadirect_tunnel1_acl in interface outside

access-group Internet_access_out out interface outside

TFBPCiscoASA(config)# sh run static

static (inside,outside) x.x.x.207 10.132.129.30 netmask 255.255.255.255

The static for the proxy is not the outside interface address.

Correct Answer
Jon Marshall Wed, 08/08/2007 - 08:18

Mike

What happens if you use the Natted address in your access-list ie x.x.x.207 instead of the 10.132.29.30 address ?

Jon

Correct Answer
acomiskey Wed, 08/08/2007 - 08:24

Or apply the acl in interface inside instead.

mike.feeney Wed, 08/08/2007 - 08:28

Thank you both for your help. Changing the acl to use the natted address worked.

Actions

This Discussion