04-10-2009 08:29 AM - edited 03-11-2019 08:17 AM
hi guys,
I've configured ASA with normal set up, inside, outside, and all inside users can browse internet smoothly without access list,,
i wanted to add some access list to allow only http, https, & some other services.. and block others..
when i add the first access list "access-list inside_acl extended permit tcp any any eq www " and apply it on inside interface, users cannot browse INTERNET...
by removing it, every thing work fine
please note that there is no single deny ACL.
any answer, why? what should i do?
Regards,
Solved! Go to Solution.
04-12-2009 05:27 PM
Hi Rami,
Could you try to ping outside (public network) using IP address rather than name. If it works then it is definitely dns issue.
Although dns query support both tcp and udp but it normally does query with udp protocol so try to add this at first line
access-list inside_acl extended permit udp any any eq domain
Cheers
Roshan
04-11-2009 01:14 AM
Without better information it is a rough guess. Where do your users get their DNS information from? If they are using an external DNS Server the can't access this server anymore with your access list.
Apply your ACL once again and try to allow access to this external DNS server i guess now it will work. If not please post some more information
cheers
Michael
04-11-2009 07:52 AM
Hi Michael,
thanks for the reply,
actually they are using internal DNS server which redirect users to public dns server..
i already enabled DNS in my ACL, "permit eq domain".
following are the exact ACL i applied:
access-list inside_acl extended permit tcp any any eq www
access-list inside_acl extended permit tcp any any eq domain
access-list inside_acl extended permit tcp any any eq http
access-list inside_acl extended permit tcp any any eq ftp
access-list inside_acl extended permit tcp any any eq ldap
access-list inside_acl extended permit tcp any any eq pop3
access-list inside_acl extended permit tcp any any eq telnet
access-list inside_acl extended permit tcp any any eq echo
Regards,
Rami
04-12-2009 03:04 AM
Hmm ok this is strange, could you post please a bit more (a configuration would be great)
cheers michael
04-17-2009 05:52 AM
Hi michael,
thanks for your assistance,
its solved by adding:
access-list inside_acl extended permit udp any any eq 53
Regards,
04-11-2009 03:30 AM
Hi,
Use the following acl to allow http and https traffic
access-list inside_acl extended permit udp any any eq 53
access-list inside_acl extended permit tcp any any eq http
access-list inside_acl extended permit tcp any any eq https
access-group inside_acl in interface inside
Also, check the service-policy associated with inside interface has http inspected.
Regards
Roshan
04-11-2009 07:55 AM
Hi Roshan,
actually, i already did this but with "eq domain" instead of 53, following are the exact ACL i applied:
access-list inside_acl extended permit tcp any any eq www
access-list inside_acl extended permit tcp any any eq domain
access-list inside_acl extended permit tcp any any eq http
access-list inside_acl extended permit tcp any any eq ftp
access-list inside_acl extended permit tcp any any eq ldap
access-list inside_acl extended permit tcp any any eq pop3
access-list inside_acl extended permit tcp any any eq telnet
access-list inside_acl extended permit tcp any any eq echo
Regards,
Rami
04-12-2009 05:27 PM
Hi Rami,
Could you try to ping outside (public network) using IP address rather than name. If it works then it is definitely dns issue.
Although dns query support both tcp and udp but it normally does query with udp protocol so try to add this at first line
access-list inside_acl extended permit udp any any eq domain
Cheers
Roshan
04-16-2009 02:19 PM
Hi Roshan ,
its solved by entering the udp dns acl
"access-list inside_acl extended permit udp any any eq domain "
thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide