11-25-2009 08:45 AM
Hi All,
Design:-
---------------
Core-sw(6509)----------CSS1100-----------------Bluecoat----------------ASA---------Internet
Attached the configuration tried for this scenario.
!**************************** NQL ****************************
-nql Rule
ip address 192.7.0.0 255.255.0.0
ip address 192.168.3.0 255.255.255.0
ip address 10.10.0.0 255.255.0.0
ip address 192.9.0.0 255.255.0.0 log
ip address 192.8.0.0 255.255.0.0 log
-------------------------------------------------------------------------------
cl 1
clause 10 permit tcp nql Rule destination any eq http
clause 20 permit tcp nql Rule destination any eq https
clause 30 bypass any any destination any
clause 99 permit any any destination any
apply circuit-(VLAN1)
If i applied the above access-list, internet traffic is working.
--------------------------------------------------------------------
if i removed these access-list below
clause 30 bypass any any destination any
clause 99 permit any any destination any
Internet traffic is not working.
Kindly advice or whether somebody worked on this scenario, please share me.
11-25-2009 03:41 PM
The CSS applies a hidden default “deny all” clause as clause 255 to all ACLs. You
must specify permit clauses that allow traffic on the CSS.
Syed
11-25-2009 09:34 PM
Hi Sayed,
Thanks for the update.
!**************************** NQL ****************************
-nql Rule
ip address 192.7.0.0 255.255.0.0
ip address 192.168.3.0 255.255.255.0
ip address 10.10.0.0 255.255.0.0
ip address 192.9.0.0 255.255.0.0 log
ip address 192.8.0.0 255.255.0.0 log
-------------------------------------------------------------------------------
cl 1
clause 10 permit tcp nql Rule destination any eq http
clause 20 permit tcp nql Rule destination any eq https
In that case why the above rule is not working. I need only these subnets to allow the Internet.
Thanks& Regards,
Subash
12-02-2009 08:36 PM
What exactly is happening with that acl in place? Are other internal networks able to access the internet despite you locking it down to those specific networks? Or is *no* traffic to remote sites on 80/443 getting though? If you're in acl mode and do 'sh acl 1' you should see a hit counter on the acl you have in place to help gauge its effectiveness. Sorry I can't be of more help at the moment; just trying to get a better feel for your config/environment.
James
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: