ACL permit www, block internet access?!

Answered Question
Apr 10th, 2009
User Badges:

hi guys,


I've configured ASA with normal set up, inside, outside, and all inside users can browse internet smoothly without access list,,


i wanted to add some access list to allow only http, https, & some other services.. and block others..


when i add the first access list "access-list inside_acl extended permit tcp any any eq www " and apply it on inside interface, users cannot browse INTERNET...


by removing it, every thing work fine


please note that there is no single deny ACL.


any answer, why? what should i do?


Regards,


Correct Answer by roshan.maskey about 8 years 2 months ago

Hi Rami,


Could you try to ping outside (public network) using IP address rather than name. If it works then it is definitely dns issue.


Although dns query support both tcp and udp but it normally does query with udp protocol so try to add this at first line


access-list inside_acl extended permit udp any any eq domain


Cheers

Roshan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mdombek_biz Sat, 04/11/2009 - 01:14
User Badges:

Without better information it is a rough guess. Where do your users get their DNS information from? If they are using an external DNS Server the can't access this server anymore with your access list.

Apply your ACL once again and try to allow access to this external DNS server i guess now it will work. If not please post some more information


cheers

Michael

ramikamel911 Sat, 04/11/2009 - 07:52
User Badges:

Hi Michael,


thanks for the reply,


actually they are using internal DNS server which redirect users to public dns server..


i already enabled DNS in my ACL, "permit eq domain".


following are the exact ACL i applied:


access-list inside_acl extended permit tcp any any eq www

access-list inside_acl extended permit tcp any any eq domain

access-list inside_acl extended permit tcp any any eq http

access-list inside_acl extended permit tcp any any eq ftp

access-list inside_acl extended permit tcp any any eq ldap

access-list inside_acl extended permit tcp any any eq pop3

access-list inside_acl extended permit tcp any any eq telnet

access-list inside_acl extended permit tcp any any eq echo


Regards,

Rami



mdombek_biz Sun, 04/12/2009 - 03:04
User Badges:

Hmm ok this is strange, could you post please a bit more (a configuration would be great)


cheers michael

ramikamel911 Fri, 04/17/2009 - 05:52
User Badges:

Hi michael,


thanks for your assistance,


its solved by adding:


access-list inside_acl extended permit udp any any eq 53


Regards,



roshan.maskey Sat, 04/11/2009 - 03:30
User Badges:

Hi,


Use the following acl to allow http and https traffic


access-list inside_acl extended permit udp any any eq 53

access-list inside_acl extended permit tcp any any eq http

access-list inside_acl extended permit tcp any any eq https


access-group inside_acl in interface inside


Also, check the service-policy associated with inside interface has http inspected.


Regards

Roshan

ramikamel911 Sat, 04/11/2009 - 07:55
User Badges:

Hi Roshan,


actually, i already did this but with "eq domain" instead of 53, following are the exact ACL i applied:


access-list inside_acl extended permit tcp any any eq www

access-list inside_acl extended permit tcp any any eq domain

access-list inside_acl extended permit tcp any any eq http

access-list inside_acl extended permit tcp any any eq ftp

access-list inside_acl extended permit tcp any any eq ldap

access-list inside_acl extended permit tcp any any eq pop3

access-list inside_acl extended permit tcp any any eq telnet

access-list inside_acl extended permit tcp any any eq echo


Regards,

Rami



Correct Answer
roshan.maskey Sun, 04/12/2009 - 17:27
User Badges:

Hi Rami,


Could you try to ping outside (public network) using IP address rather than name. If it works then it is definitely dns issue.


Although dns query support both tcp and udp but it normally does query with udp protocol so try to add this at first line


access-list inside_acl extended permit udp any any eq domain


Cheers

Roshan

ramikamel911 Thu, 04/16/2009 - 14:19
User Badges:


Hi Roshan ,


its solved by entering the udp dns acl


"access-list inside_acl extended permit udp any any eq domain "


thank you

Actions

This Discussion