08-08-2007 07:36 AM - edited 03-11-2019 03:55 AM
I have an acl to get all users out to the internet-
access-list Internet_access_out tcp_group_internet_access
access-list Internet_access_out extended permit tcp any any object-group internet_test
access-list Internet_access_out extended permit tcp any any eq www
access-list Internet_access_out extended permit tcp any any eq domain
access-list Internet_access_out extended permit tcp any any eq https
access-list Internet_access_out extended permit tcp any any eq ftp
access-list Internet_access_out extended permit tcp any any eq citrix-ica
access-list Internet_access_out extended permit tcp any any range 2095 2095
access-list Internet_access_out extended permit tcp any any range 9100 9100
When I change the source (any) to the ip address of the proxy server, I get an error message.
4 Aug 08 2007 09:25:29 106023 10.132.129.30 65.54.152.126 Deny tcp src inside:10.132.129.30/50285 dst outside:65.54.152.126/80 by access-group "Internet_access_out" [0x0, 0x0]
I would appreciate any help. Thanks.
Solved! Go to Solution.
08-08-2007 08:18 AM
Mike
What happens if you use the Natted address in your access-list ie x.x.x.207 instead of the 10.132.29.30 address ?
Jon
08-08-2007 08:24 AM
Or apply the acl in interface inside instead.
08-08-2007 07:43 AM
So you made it like this...
access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www
and you receive the Deny message above?
08-08-2007 07:49 AM
yes
08-08-2007 07:54 AM
Well that doesn't make sense does it? Sure that you put "host 10.132.129.30 any" and not "any host 10.132.129.30"? How is the acl applied?
08-08-2007 08:06 AM
I just changed it to this-
access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www
Here is the error message-
4 Aug 08 2007 12:08:26 106023 10.132.129.30 199.181.132.250 Deny tcp src inside:10.132.129.30/52112 dst outside:199.181.132.250/80 by access-group "Internet_access_out" [0x0, 0x0]
08-08-2007 08:16 AM
A little more info-
TFBPCiscoASA(config)# sh run access-g
access-group dbadirect_tunnel1_acl in interface outside
access-group Internet_access_out out interface outside
TFBPCiscoASA(config)# sh run static
static (inside,outside) x.x.x.207 10.132.129.30 netmask 255.255.255.255
The static for the proxy is not the outside interface address.
08-08-2007 08:18 AM
Mike
What happens if you use the Natted address in your access-list ie x.x.x.207 instead of the 10.132.29.30 address ?
Jon
08-08-2007 08:24 AM
Or apply the acl in interface inside instead.
08-08-2007 08:28 AM
Thank you both for your help. Changing the acl to use the natted address worked.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: