Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
936
Views
0
Helpful
3
Replies

CSS Scenario

subashmbi
Level 1
Level 1

‎11-25-2009 08:45 AM

Hi All,

Design:-

---------------

Core-sw(6509)----------CSS1100-----------------Bluecoat----------------ASA---------Internet

Attached the configuration tried for this scenario.

!**************************** NQL ****************************

-nql Rule

  ip address 192.7.0.0 255.255.0.0

  ip address 192.168.3.0 255.255.255.0

  ip address 10.10.0.0 255.255.0.0

  ip address 192.9.0.0 255.255.0.0 log

  ip address 192.8.0.0 255.255.0.0 log

-------------------------------------------------------------------------------

cl 1

  clause 10 permit tcp nql Rule destination any eq http

  clause 20 permit tcp nql Rule destination any eq https

  clause 30 bypass any any destination any

  clause 99 permit any any destination any

  apply circuit-(VLAN1)

If i applied the above access-list, internet traffic is working.

--------------------------------------------------------------------

if i removed these access-list below

clause 30 bypass any any destination any

  clause 99 permit any any destination any

Internet traffic is not working.

Kindly advice or whether somebody worked on this scenario, please share me.

Labels:
36116-CSS1150-ISF.txt.zip
0 Helpful
3 Replies 3

Syed Iftekhar Ahmed
Level 8
Level 8

‎11-25-2009 03:41 PM

The CSS applies a hidden default “deny all” clause as clause 255 to all ACLs. You

must specify permit clauses that allow traffic on the CSS.

Syed

0 Helpful

subashmbi
Level 1
Level 1
In response to Syed Iftekhar Ahmed

‎11-25-2009 09:34 PM

Hi Sayed,

Thanks for the update.

!**************************** NQL ****************************

-nql Rule

  ip address 192.7.0.0 255.255.0.0

  ip address 192.168.3.0 255.255.255.0

  ip address 10.10.0.0 255.255.0.0

  ip address 192.9.0.0 255.255.0.0 log

  ip address 192.8.0.0 255.255.0.0 log

-------------------------------------------------------------------------------

cl 1

  clause 10 permit tcp nql Rule destination any eq http

  clause 20 permit tcp nql Rule destination any eq https

In that case why the above rule is not working. I need only these subnets to allow the Internet.

Thanks& Regards,

Subash

0 Helpful

busterswt
Level 1
Level 1
In response to subashmbi

‎12-02-2009 08:36 PM

What exactly is happening with that acl in place? Are other internal networks able to access the internet despite you locking it down to those specific networks? Or is *no* traffic to remote sites on 80/443 getting though? If you're in acl mode and do 'sh acl 1' you should see a hit counter on the acl you have in place to help gauge its effectiveness. Sorry I can't be of more help at the moment; just trying to get a better feel for your config/environment.

James

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents