Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS Scenario

Hi All,

Design:-

---------------

Core-sw(6509)----------CSS1100-----------------Bluecoat----------------ASA---------Internet

Attached the configuration tried for this scenario.

!**************************** NQL ****************************

-nql Rule

  ip address 192.7.0.0 255.255.0.0

  ip address 192.168.3.0 255.255.255.0

  ip address 10.10.0.0 255.255.0.0

  ip address 192.9.0.0 255.255.0.0 log

  ip address 192.8.0.0 255.255.0.0 log

-------------------------------------------------------------------------------

cl 1

  clause 10 permit tcp nql Rule destination any eq http

  clause 20 permit tcp nql Rule destination any eq https

  clause 30 bypass any any destination any

  clause 99 permit any any destination any

  apply circuit-(VLAN1)

If i applied the above access-list, internet traffic is working.

--------------------------------------------------------------------

if i removed these access-list below

clause 30 bypass any any destination any

  clause 99 permit any any destination any

Internet traffic is not working.

Kindly advice or whether somebody worked on this scenario, please share me.

3 REPLIES

Re: CSS Scenario

The CSS applies a hidden default “deny all” clause as clause 255 to all ACLs. You

must specify permit clauses that allow traffic on the CSS.

Syed

New Member

Re: CSS Scenario

Hi Sayed,

Thanks for the update.

!**************************** NQL ****************************

-nql Rule

  ip address 192.7.0.0 255.255.0.0

  ip address 192.168.3.0 255.255.255.0

  ip address 10.10.0.0 255.255.0.0

  ip address 192.9.0.0 255.255.0.0 log

  ip address 192.8.0.0 255.255.0.0 log

-------------------------------------------------------------------------------

cl 1

  clause 10 permit tcp nql Rule destination any eq http

  clause 20 permit tcp nql Rule destination any eq https

In that case why the above rule is not working. I need only these subnets to allow the Internet.

Thanks& Regards,

Subash

Bronze

Re: CSS Scenario

What exactly is happening with that acl in place? Are other internal networks able to access the internet despite you locking it down to those specific networks? Or is *no* traffic to remote sites on 80/443 getting though? If you're in acl mode and do 'sh acl 1' you should see a hit counter on the acl you have in place to help gauge its effectiveness. Sorry I can't be of more help at the moment; just trying to get a better feel for your config/environment.

James

332
Views
0
Helpful
3
Replies