Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-List Question with nonat statement

I was hoping to allow my local LAN (192.168.60.x) the ability to access the internet through my ASA 5505 while still maintaining the VPN tunnel that is required. I just recently added a number of access-lists to my config, which resulted in internet access being cut off. Before the access lists were added, I had some nonat statements in the config which did allow internet access.

Clearly there is an access list line that I'm not adding. I thought about:

access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any

But was reluctant as I didn't want to open up too much. Was hoping to get an opinion from someone more knowledgeable than myself.

Any thoughts would be much appreciated.

Config file attached.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Access-List Question with nonat statement

You NAT's are OK and it is indeed your inside_acl that is blocking your web browsing. Your permit ip any any will work, but as you stated, it's quite insecure. Try something like this-

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 80

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 443

This will allow you to surf HTTP and HTTPS. You may need to add DNS too.

Hope that helps.

Green

Re: Access-List Question with nonat statement

Correct.

Allow specific ports to remote vpn 1.

Deny everything else to remote vpn 1.

Allow specific ports to remote vpn 2.

Deny everything else to remove vpn 2.

Allow tcp 80, 443, udp 53 access to any.

7 REPLIES
Green

Re: Access-List Question with nonat statement

Your access-list inside_acl is allowing specific ports to your remote vpn networks, then the last line is "deny ip any any" which is denying everything else, including internet access. You could lay it out like this...

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq ssh

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq www

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq 3389

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq cifs

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0 eq 5900

access-list inside_acl extended deny ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0

Do the same for your other vpn networks

then add your permit for internet access at the end.

access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any

New Member

Re: Access-List Question with nonat statement

Great call. I'll probably try this method in conjunction with only allowing 80, 53, and 443 for the local LAN, instead of 'any', as I'd like to restrict things a bit more.

Good stuff. Thx.

Re: Access-List Question with nonat statement

You NAT's are OK and it is indeed your inside_acl that is blocking your web browsing. Your permit ip any any will work, but as you stated, it's quite insecure. Try something like this-

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 80

access-list inside_acl extended permit tcp 192.168.60.0 255.255.255.0 any eq 443

This will allow you to surf HTTP and HTTPS. You may need to add DNS too.

Hope that helps.

New Member

Re: Access-List Question with nonat statement

Perfect. I wasn't sure if restricting it this way would work, but clearly it does. The 'access list' light bulb is beginning to glow.

Thx.

Green

Re: Access-List Question with nonat statement

Nit picking a little...but by doing it that way you are allowing 80, 443 to your remote vpn locations as well, which it looked like you were trying to limit pretty specifically.

New Member

Re: Access-List Question with nonat statement

Ahhh...I was not aware of that. Makes sense though, now that you reference it.

So if I do:

access-list inside_acl extended deny ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0

at the end of my access lists for each remote vpn

(as well as a deny to the other remote VPN locations) as you originally showed.

and then do:

access-list inside_acl extended permit ip 192.168.60.0 255.255.255.0 any

which will allow internet access only from my local LAN out?

Green

Re: Access-List Question with nonat statement

Correct.

Allow specific ports to remote vpn 1.

Deny everything else to remote vpn 1.

Allow specific ports to remote vpn 2.

Deny everything else to remove vpn 2.

Allow tcp 80, 443, udp 53 access to any.

152
Views
0
Helpful
7
Replies