Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL permit www, block internet access?!

hi guys,

I've configured ASA with normal set up, inside, outside, and all inside users can browse internet smoothly without access list,,

i wanted to add some access list to allow only http, https, & some other services.. and block others..

when i add the first access list "access-list inside_acl extended permit tcp any any eq www " and apply it on inside interface, users cannot browse INTERNET...

by removing it, every thing work fine

please note that there is no single deny ACL.

any answer, why? what should i do?

Regards,

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ACL permit www, block internet access?!

Hi Rami,

Could you try to ping outside (public network) using IP address rather than name. If it works then it is definitely dns issue.

Although dns query support both tcp and udp but it normally does query with udp protocol so try to add this at first line

access-list inside_acl extended permit udp any any eq domain

Cheers

Roshan

8 REPLIES
New Member

Re: ACL permit www, block internet access?!

Without better information it is a rough guess. Where do your users get their DNS information from? If they are using an external DNS Server the can't access this server anymore with your access list.

Apply your ACL once again and try to allow access to this external DNS server i guess now it will work. If not please post some more information

cheers

Michael

New Member

Re: ACL permit www, block internet access?!

Hi Michael,

thanks for the reply,

actually they are using internal DNS server which redirect users to public dns server..

i already enabled DNS in my ACL, "permit eq domain".

following are the exact ACL i applied:

access-list inside_acl extended permit tcp any any eq www

access-list inside_acl extended permit tcp any any eq domain

access-list inside_acl extended permit tcp any any eq http

access-list inside_acl extended permit tcp any any eq ftp

access-list inside_acl extended permit tcp any any eq ldap

access-list inside_acl extended permit tcp any any eq pop3

access-list inside_acl extended permit tcp any any eq telnet

access-list inside_acl extended permit tcp any any eq echo

Regards,

Rami

New Member

Re: ACL permit www, block internet access?!

Hmm ok this is strange, could you post please a bit more (a configuration would be great)

cheers michael

New Member

Re: ACL permit www, block internet access?!

Hi michael,

thanks for your assistance,

its solved by adding:

access-list inside_acl extended permit udp any any eq 53

Regards,

New Member

Re: ACL permit www, block internet access?!

Hi,

Use the following acl to allow http and https traffic

access-list inside_acl extended permit udp any any eq 53

access-list inside_acl extended permit tcp any any eq http

access-list inside_acl extended permit tcp any any eq https

access-group inside_acl in interface inside

Also, check the service-policy associated with inside interface has http inspected.

Regards

Roshan

New Member

Re: ACL permit www, block internet access?!

Hi Roshan,

actually, i already did this but with "eq domain" instead of 53, following are the exact ACL i applied:

access-list inside_acl extended permit tcp any any eq www

access-list inside_acl extended permit tcp any any eq domain

access-list inside_acl extended permit tcp any any eq http

access-list inside_acl extended permit tcp any any eq ftp

access-list inside_acl extended permit tcp any any eq ldap

access-list inside_acl extended permit tcp any any eq pop3

access-list inside_acl extended permit tcp any any eq telnet

access-list inside_acl extended permit tcp any any eq echo

Regards,

Rami

New Member

Re: ACL permit www, block internet access?!

Hi Rami,

Could you try to ping outside (public network) using IP address rather than name. If it works then it is definitely dns issue.

Although dns query support both tcp and udp but it normally does query with udp protocol so try to add this at first line

access-list inside_acl extended permit udp any any eq domain

Cheers

Roshan

New Member

Re: ACL permit www, block internet access?!

Hi Roshan ,

its solved by entering the udp dns acl

"access-list inside_acl extended permit udp any any eq domain "

thank you

295
Views
0
Helpful
8
Replies