CSS Scenario

Unanswered Question
Nov 25th, 2009

Hi All,

Design:-

---------------

Core-sw(6509)----------CSS1100-----------------Bluecoat----------------ASA---------Internet

Attached the configuration tried for this scenario.

!**************************** NQL ****************************

-nql Rule

  ip address 192.7.0.0 255.255.0.0

  ip address 192.168.3.0 255.255.255.0

  ip address 10.10.0.0 255.255.0.0

  ip address 192.9.0.0 255.255.0.0 log

  ip address 192.8.0.0 255.255.0.0 log

-------------------------------------------------------------------------------

cl 1

  clause 10 permit tcp nql Rule destination any eq http

  clause 20 permit tcp nql Rule destination any eq https

  clause 30 bypass any any destination any

  clause 99 permit any any destination any

  apply circuit-(VLAN1)

If i applied the above access-list, internet traffic is working.

--------------------------------------------------------------------

if i removed these access-list below

clause 30 bypass any any destination any

  clause 99 permit any any destination any

Internet traffic is not working.

Kindly advice or whether somebody worked on this scenario, please share me.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Syed Iftekhar Ahmed Wed, 11/25/2009 - 15:41

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

The CSS applies a hidden default “deny all” clause as clause 255 to all ACLs. You

must specify permit clauses that allow traffic on the CSS.

Syed

subashmbi Wed, 11/25/2009 - 21:34

Hi Sayed,

Thanks for the update.

!**************************** NQL ****************************

-nql Rule

  ip address 192.7.0.0 255.255.0.0

  ip address 192.168.3.0 255.255.255.0

  ip address 10.10.0.0 255.255.0.0

  ip address 192.9.0.0 255.255.0.0 log

  ip address 192.8.0.0 255.255.0.0 log

-------------------------------------------------------------------------------

cl 1

  clause 10 permit tcp nql Rule destination any eq http

  clause 20 permit tcp nql Rule destination any eq https

In that case why the above rule is not working. I need only these subnets to allow the Internet.

Thanks& Regards,

Subash

busterswt Wed, 12/02/2009 - 20:36

What exactly is happening with that acl in place? Are other internal networks able to access the internet despite you locking it down to those specific networks? Or is *no* traffic to remote sites on 80/443 getting though? If you're in acl mode and do 'sh acl 1' you should see a hit counter on the acl you have in place to help gauge its effectiveness. Sorry I can't be of more help at the moment; just trying to get a better feel for your config/environment.

James

Actions

This Discussion