Hi, I have a this config attached, for some reason I can resolve DNS of web sites etc. If I put the IP of the website in it works, I'm sure it's something to do with access-list 101. Hope you can advise.
Also MSN wont work.
If I add access-list 101 permit ip any any
all works, but makes everything un-secure?
What you need is an IPSec rule. ip inspect will examine TCP and UDP but does not examine protocols like ESP (which is IP protocol 50) and is the foundation of IPSec. This is what is being denied by the access list:
list 101 denied 50 188.8.131.52 -> 184.108.40.206, 109 packets
note the denied 50 is indicating denied protocol 50 = ESP. So you will need to add a rule in access list 101 to permit ESP protocol 50 traffic. Then this issue should be solved.
I do believe that putting external DNS servers into the scope is a good solution. I am glad that things are now working as expected.