03-07-2012 09:12 AM - edited 03-11-2019 03:39 PM
Good morning,
I have been configuring a cisco ASA 5520, everything is working fine but when i create an ACL:
access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any
access-group OUT out interface outside
i added ports like www or 443 and it is not working to Internet access
a router is before to my firewall connected to my headquater, i can see my private networks but i cannot able to reach Internet access,
could you please help me?
thanks.
03-07-2012 09:37 AM
Hello Eduardo,
What about the Nat statements, can you provide your Configuration so we can check it.
Regards,
Julio
03-07-2012 11:43 AM
HiEduardo,
I will try to explain it via an example:
INSIDE(172.16.0.0/24) ----- (172.16.0.1) ASA (1.1.1.1) ----- Internet ----- Google(200.200.200.1)
If users from INSIDE wants to hit internet they will be going through the a PAT on the interface. I am right?
So if you are adding access-list in OUT direction:
access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any
access-group OUT out interface outside
then their is an implicit deny which will deny your natted IP 1.1.1.1. So thats why you cannot reach to internet.
Use packet-tracer to confirm.
So the best option will be allow specfic private addresses on INSIDE interface
Regard,
Adesh
03-07-2012 11:58 AM
I hope it is same as below,
inside----ASA----router---internet.
Allow DNS with http and 443 and it is better to apply access-list on the inside interface IN direction rather than applying on outside interface out direction
Thnaks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide