ACL question

Answered Question
Aug 8th, 2007
User Badges:

I have an acl to get all users out to the internet-


access-list Internet_access_out tcp_group_internet_access

access-list Internet_access_out extended permit tcp any any object-group internet_test

access-list Internet_access_out extended permit tcp any any eq www

access-list Internet_access_out extended permit tcp any any eq domain

access-list Internet_access_out extended permit tcp any any eq https

access-list Internet_access_out extended permit tcp any any eq ftp

access-list Internet_access_out extended permit tcp any any eq citrix-ica

access-list Internet_access_out extended permit tcp any any range 2095 2095

access-list Internet_access_out extended permit tcp any any range 9100 9100


When I change the source (any) to the ip address of the proxy server, I get an error message.


4 Aug 08 2007 09:25:29 106023 10.132.129.30 65.54.152.126 Deny tcp src inside:10.132.129.30/50285 dst outside:65.54.152.126/80 by access-group "Internet_access_out" [0x0, 0x0]


I would appreciate any help. Thanks.

Correct Answer by acomiskey about 9 years 11 months ago

Or apply the acl in interface inside instead.

Correct Answer by Jon Marshall about 9 years 11 months ago

Mike


What happens if you use the Natted address in your access-list ie x.x.x.207 instead of the 10.132.29.30 address ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Wed, 08/08/2007 - 07:43
User Badges:
  • Green, 3000 points or more

So you made it like this...


access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www


and you receive the Deny message above?


acomiskey Wed, 08/08/2007 - 07:54
User Badges:
  • Green, 3000 points or more

Well that doesn't make sense does it? Sure that you put "host 10.132.129.30 any" and not "any host 10.132.129.30"? How is the acl applied?

mike.feeney Wed, 08/08/2007 - 08:06
User Badges:

I just changed it to this-


access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www


Here is the error message-


4 Aug 08 2007 12:08:26 106023 10.132.129.30 199.181.132.250 Deny tcp src inside:10.132.129.30/52112 dst outside:199.181.132.250/80 by access-group "Internet_access_out" [0x0, 0x0]

mike.feeney Wed, 08/08/2007 - 08:16
User Badges:

A little more info-


TFBPCiscoASA(config)# sh run access-g

access-group dbadirect_tunnel1_acl in interface outside

access-group Internet_access_out out interface outside

TFBPCiscoASA(config)# sh run static

static (inside,outside) x.x.x.207 10.132.129.30 netmask 255.255.255.255


The static for the proxy is not the outside interface address.

Correct Answer
Jon Marshall Wed, 08/08/2007 - 08:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mike


What happens if you use the Natted address in your access-list ie x.x.x.207 instead of the 10.132.29.30 address ?


Jon

Correct Answer
acomiskey Wed, 08/08/2007 - 08:24
User Badges:
  • Green, 3000 points or more

Or apply the acl in interface inside instead.

mike.feeney Wed, 08/08/2007 - 08:28
User Badges:

Thank you both for your help. Changing the acl to use the natted address worked.

Actions

This Discussion