Access to internet

Julio E. Moisa · ‎03-07-2012

Good morning,

I have been configuring a cisco ASA 5520, everything is working fine but when i create an ACL:

access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any

access-group OUT out interface outside

i added ports like www or 443 and it is not working to Internet access

a router is before to my firewall connected to my headquater, i can see my private networks but i cannot able to reach Internet access,

could you please help me?

thanks.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio Carvajal · ‎03-07-2012

Hello Eduardo,

What about the Nat statements, can you provide your Configuration so we can check it.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Adesh Gairola · ‎03-07-2012

HiEduardo,

I will try to explain it via an example:

INSIDE(172.16.0.0/24) ----- (172.16.0.1) ASA (1.1.1.1) ----- Internet ----- Google(200.200.200.1)

If users from INSIDE wants to hit internet they will be going through the a PAT on the interface. I am right?

So if you are adding access-list in OUT direction:

access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any

access-group OUT out interface outside

then their is an implicit deny which will deny your natted IP 1.1.1.1. So thats why you cannot reach to internet.

Use packet-tracer to confirm.

So the best option will be allow specfic private addresses on INSIDE interface

Regard,

Adesh

jack samuel · ‎03-07-2012

I hope it is same as below,

inside----ASA----router---internet.

Allow DNS with http and 443 and it is better to apply access-list on the inside interface IN direction rather than applying on outside interface out direction

Thnaks