08-04-2009 06:32 AM - edited 03-11-2019 09:02 AM
I was hoping to allow my local LAN (192.168.60.x) the ability to access the internet through my ASA 5505 while still maintaining the VPN tunnel that is required. I just recently added a number of access-lists to my config, which resulted in internet access being cut off. Before the access lists were added, I had some nonat statements in the config which did allow internet access.
Clearly there is an access list line that I'm not adding. I thought about:
access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any
But was reluctant as I didn't want to open up too much. Was hoping to get an opinion from someone more knowledgeable than myself.
Any thoughts would be much appreciated.
Config file attached.
Solved! Go to Solution.
08-04-2009 07:10 AM
You NAT's are OK and it is indeed your inside_acl that is blocking your web browsing. Your permit ip any any will work, but as you stated, it's quite insecure. Try something like this-
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 80
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 443
This will allow you to surf HTTP and HTTPS. You may need to add DNS too.
Hope that helps.
08-04-2009 09:52 AM
Correct.
Allow specific ports to remote vpn 1.
Deny everything else to remote vpn 1.
Allow specific ports to remote vpn 2.
Deny everything else to remove vpn 2.
Allow tcp 80, 443, udp 53 access to any.
08-04-2009 07:10 AM
Your access-list inside_acl is allowing specific ports to your remote vpn networks, then the last line is "deny ip any any" which is denying everything else, including internet access. You could lay it out like this...
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq ssh
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq www
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq 3389
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq cifs
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq 5900
access-list inside_acl extended deny ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
Do the same for your other vpn networks
then add your permit for internet access at the end.
access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any
08-04-2009 08:52 AM
Great call. I'll probably try this method in conjunction with only allowing 80, 53, and 443 for the local LAN, instead of 'any', as I'd like to restrict things a bit more.
Good stuff. Thx.
08-04-2009 07:10 AM
You NAT's are OK and it is indeed your inside_acl that is blocking your web browsing. Your permit ip any any will work, but as you stated, it's quite insecure. Try something like this-
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 80
access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 443
This will allow you to surf HTTP and HTTPS. You may need to add DNS too.
Hope that helps.
08-04-2009 08:57 AM
Perfect. I wasn't sure if restricting it this way would work, but clearly it does. The 'access list' light bulb is beginning to glow.
Thx.
08-04-2009 09:18 AM
Nit picking a little...but by doing it that way you are allowing 80, 443 to your remote vpn locations as well, which it looked like you were trying to limit pretty specifically.
08-04-2009 09:32 AM
Ahhh...I was not aware of that. Makes sense though, now that you reference it.
So if I do:
access-list inside_acl extended deny ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
at the end of my access lists for each remote vpn
(as well as a deny to the other remote VPN locations) as you originally showed.
and then do:
access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any
which will allow internet access only from my local LAN out?
08-04-2009 09:52 AM
Correct.
Allow specific ports to remote vpn 1.
Deny everything else to remote vpn 1.
Allow specific ports to remote vpn 2.
Deny everything else to remove vpn 2.
Allow tcp 80, 443, udp 53 access to any.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide