Access-List Question with nonat statement

Answered Question
Aug 4th, 2009

I was hoping to allow my local LAN (192.168.60.x) the ability to access the internet through my ASA 5505 while still maintaining the VPN tunnel that is required. I just recently added a number of access-lists to my config, which resulted in internet access being cut off. Before the access lists were added, I had some nonat statements in the config which did allow internet access.

Clearly there is an access list line that I'm not adding. I thought about:

access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any

But was reluctant as I didn't want to open up too much. Was hoping to get an opinion from someone more knowledgeable than myself.

Any thoughts would be much appreciated.

Config file attached.

Attachment: 
I have this problem too.
0 votes
Correct Answer by acomiskey about 7 years 4 months ago

Correct.

Allow specific ports to remote vpn 1.

Deny everything else to remote vpn 1.

Allow specific ports to remote vpn 2.

Deny everything else to remove vpn 2.

Allow tcp 80, 443, udp 53 access to any.

Correct Answer by Collin Clark about 7 years 4 months ago

You NAT's are OK and it is indeed your inside_acl that is blocking your web browsing. Your permit ip any any will work, but as you stated, it's quite insecure. Try something like this-

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 80

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 443

This will allow you to surf HTTP and HTTPS. You may need to add DNS too.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Tue, 08/04/2009 - 07:10

Your access-list inside_acl is allowing specific ports to your remote vpn networks, then the last line is "deny ip any any" which is denying everything else, including internet access. You could lay it out like this...

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq ssh

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq www

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq 3389

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq cifs

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq 5900

access-list inside_acl extended deny ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0

Do the same for your other vpn networks

then add your permit for internet access at the end.

access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any

cavemanbobby Tue, 08/04/2009 - 08:52

Great call. I'll probably try this method in conjunction with only allowing 80, 53, and 443 for the local LAN, instead of 'any', as I'd like to restrict things a bit more.

Good stuff. Thx.

Correct Answer
Collin Clark Tue, 08/04/2009 - 07:10

You NAT's are OK and it is indeed your inside_acl that is blocking your web browsing. Your permit ip any any will work, but as you stated, it's quite insecure. Try something like this-

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 80

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 443

This will allow you to surf HTTP and HTTPS. You may need to add DNS too.

Hope that helps.

cavemanbobby Tue, 08/04/2009 - 08:57

Perfect. I wasn't sure if restricting it this way would work, but clearly it does. The 'access list' light bulb is beginning to glow.

Thx.

acomiskey Tue, 08/04/2009 - 09:18

Nit picking a little...but by doing it that way you are allowing 80, 443 to your remote vpn locations as well, which it looked like you were trying to limit pretty specifically.

cavemanbobby Tue, 08/04/2009 - 09:32

Ahhh...I was not aware of that. Makes sense though, now that you reference it.

So if I do:

access-list inside_acl extended deny ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0

at the end of my access lists for each remote vpn

(as well as a deny to the other remote VPN locations) as you originally showed.

and then do:

access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any

which will allow internet access only from my local LAN out?

Correct Answer
acomiskey Tue, 08/04/2009 - 09:52

Correct.

Allow specific ports to remote vpn 1.

Deny everything else to remote vpn 1.

Allow specific ports to remote vpn 2.

Deny everything else to remove vpn 2.

Allow tcp 80, 443, udp 53 access to any.

Actions

This Discussion