07-31-2008 04:11 PM - edited 03-06-2019 12:33 AM
Hi,
I have a subnet in a remote site which I am trying to allow access to the Internet via our head office site.
I want to prevent this subnet accessing anything in the head office network (10.2.0.0/12) except for the PIX obviously.
I put an inbound ACL on the WAN interface of our head office router which permits the remote subnet to access the LAN interface of our PIX at head office.
It works because I can ping the PIX from that subnet, but thats about all I can do. I cant get to the Internet (cant ping by name or IP) and I am at a loss for why this is the case.
When I look at IP access-accounting (or similar) it tells me that it is denying access to the IP addresses of internet DNS servers I am using, so I am assuming the ACL is too restrictive.
Also, If there is no ACL, this works perfectly (except that the remote subnet has full access to head office).
Any help is appreciated.
07-31-2008 07:03 PM
that is because at the end of each ACL there is an **implicit DENY**
so try to put another line to the end of your ACL like
permit any any
evry thing will work
HOWEVER you dont want the remot site to use the internal netwok so if the internal network (i mean the HQ) accessable through the router
just add a deny statment
so ur access-list shoud be like but not exactly only example
access-list 100 deny ip (remote net) (remote nt subnet) 10.2.0.0 0.15.255
access-list 100 permit ip any any
in this manner u put what u wanna deny first then permit any
unless u wanna permit only spisific things which is more secur in this case u put in ur ACL what u wanna permit exactly then deny any
but try the above example
and ur problem again because there is implicit deny all at the end of each ACL group u need to put a permit statment to allow the traffic
good luck
Please, rate if helpful
07-31-2008 09:11 PM
So what you are saying is to put an ACL along the lines of
deny ip (remote network) (remote mask) (HO Network) (HO Mask)
permit ip any any
This will block the specific remote subnet accessing our HO network, but allow the other subnets to access HO.
Doesn't this cause a problem with our pix being in the list of denied IP addresses.. or it doesn't matter because the clients are not talking to the pix, they are talking through it?
Thanks very much, it seems like this might be the answer!
Cheers,
Luke
07-31-2008 09:17 PM
to make sure the users have connectivity to ur pix also because i have no i dea about ur addresing to the following
first line
permit ip (remote network)(remote mask) host(pix ip address)
then
deny ip (remote network) (remote mask) (HO Network) (HO Mask)
permit ip any any
this way u will make sure the users have connectivity with pix
goos luck
please, if helpful Rate
07-31-2008 09:12 PM
07-31-2008 09:12 PM
I think you can do it another way to also, apply acl for your remote network on HO WAN router inbound direction..
It should be like
Access-list extended deny ip any 10.2.0.0 0.0.255.255 eq www
Access-list extended deny ip any 10.2.0.0 0.0.255.255 eq http
Access-list extended permit ip any any eq www
Access-list extended permit ip any any eq http
Access-list extended deny any any
08-03-2008 08:03 PM
Thank you, your way of thinking to deny the specific ranges accessing HO, then permit everything else, has worked.
We tested this and the Internet access is fine but there is no access to the head office network, which is exactly what we were trying to accomplish.
Thanks again,
Luke
08-03-2008 08:40 PM
I am glad its working..:)
then
Please Rate the helpful post
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: