Solved: ACL permit www, block internet access?!

ramikamel911 · ‎04-10-2009

hi guys,

I've configured ASA with normal set up, inside, outside, and all inside users can browse internet smoothly without access list,,

i wanted to add some access list to allow only http, https, & some other services.. and block others..

when i add the first access list "access-list inside_acl extended permit tcp any any eq www " and apply it on inside interface, users cannot browse INTERNET...

by removing it, every thing work fine

please note that there is no single deny ACL.

any answer, why? what should i do?

Regards,

roshan.maskey · ‎04-12-2009

Hi Rami,

Could you try to ping outside (public network) using IP address rather than name. If it works then it is definitely dns issue.

Although dns query support both tcp and udp but it normally does query with udp protocol so try to add this at first line

access-list inside_acl extended permit udp any any eq domain

Cheers

Roshan

View solution in original post

mdombek_biz · ‎04-11-2009

Without better information it is a rough guess. Where do your users get their DNS information from? If they are using an external DNS Server the can't access this server anymore with your access list.

Apply your ACL once again and try to allow access to this external DNS server i guess now it will work. If not please post some more information

cheers

Michael

ramikamel911 · ‎04-11-2009

Hi Michael,

thanks for the reply,

actually they are using internal DNS server which redirect users to public dns server..

i already enabled DNS in my ACL, "permit eq domain".

following are the exact ACL i applied:

access-list inside_acl extended permit tcp any any eq www

access-list inside_acl extended permit tcp any any eq domain

access-list inside_acl extended permit tcp any any eq http

access-list inside_acl extended permit tcp any any eq ftp

access-list inside_acl extended permit tcp any any eq ldap

access-list inside_acl extended permit tcp any any eq pop3

access-list inside_acl extended permit tcp any any eq telnet

access-list inside_acl extended permit tcp any any eq echo

Regards,

Rami

mdombek_biz · ‎04-12-2009

Hmm ok this is strange, could you post please a bit more (a configuration would be great)

cheers michael

ramikamel911 · ‎04-17-2009

Hi michael,

thanks for your assistance,

its solved by adding:

access-list inside_acl extended permit udp any any eq 53

Regards,

roshan.maskey · ‎04-11-2009

Hi,

Use the following acl to allow http and https traffic

access-list inside_acl extended permit udp any any eq 53

access-list inside_acl extended permit tcp any any eq http

access-list inside_acl extended permit tcp any any eq https

access-group inside_acl in interface inside

Also, check the service-policy associated with inside interface has http inspected.

Regards

Roshan

ramikamel911 · ‎04-11-2009

Hi Roshan,

actually, i already did this but with "eq domain" instead of 53, following are the exact ACL i applied:

access-list inside_acl extended permit tcp any any eq www

access-list inside_acl extended permit tcp any any eq domain

access-list inside_acl extended permit tcp any any eq http

access-list inside_acl extended permit tcp any any eq ftp

access-list inside_acl extended permit tcp any any eq ldap

access-list inside_acl extended permit tcp any any eq pop3

access-list inside_acl extended permit tcp any any eq telnet

access-list inside_acl extended permit tcp any any eq echo

Regards,

Rami

roshan.maskey · ‎04-12-2009

Hi Rami,

Could you try to ping outside (public network) using IP address rather than name. If it works then it is definitely dns issue.

Although dns query support both tcp and udp but it normally does query with udp protocol so try to add this at first line

access-list inside_acl extended permit udp any any eq domain

Cheers

Roshan

ramikamel911 · ‎04-16-2009

Hi Roshan ,

its solved by entering the udp dns acl

"access-list inside_acl extended permit udp any any eq domain "

thank you