Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Access to internet

Good morning,

I have been configuring a cisco ASA 5520, everything is working fine but when i create an ACL:

access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any

access-group OUT out interface outside

i added ports like www or 443 and it is not working to Internet access

a router is before to my firewall connected to my headquater, i can see my private networks but i cannot able to reach Internet access,

could you please help me?

thanks.

3 REPLIES

Access to internet

Hello Eduardo,

What about the Nat statements, can you provide your Configuration so we can check it.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Access to internet

HiEduardo,

I will try to explain it via an example:

INSIDE(172.16.0.0/24) ----- (172.16.0.1) ASA (1.1.1.1) ----- Internet ----- Google(200.200.200.1)

If users from INSIDE wants to hit internet they will be going through the a PAT on the interface. I am right?

So if you are adding access-list in OUT direction:

access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any

access-group OUT out interface outside

then their is an implicit deny which will deny your natted IP 1.1.1.1. So thats why you cannot reach to internet.

Use packet-tracer to confirm.

So the best option will be allow specfic private addresses on INSIDE interface

Regard,

Adesh

New Member

Access to internet

I hope it is same as below,

inside----ASA----router---internet.

Allow DNS with http and 443 and it is better to apply access-list on the inside interface IN direction rather than applying on outside interface out direction

Thnaks

240
Views
0
Helpful
3
Replies