Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL question

I have an acl to get all users out to the internet-

access-list Internet_access_out tcp_group_internet_access

access-list Internet_access_out extended permit tcp any any object-group internet_test

access-list Internet_access_out extended permit tcp any any eq www

access-list Internet_access_out extended permit tcp any any eq domain

access-list Internet_access_out extended permit tcp any any eq https

access-list Internet_access_out extended permit tcp any any eq ftp

access-list Internet_access_out extended permit tcp any any eq citrix-ica

access-list Internet_access_out extended permit tcp any any range 2095 2095

access-list Internet_access_out extended permit tcp any any range 9100 9100

When I change the source (any) to the ip address of the proxy server, I get an error message.

4 Aug 08 2007 09:25:29 106023 10.132.129.30 65.54.152.126 Deny tcp src inside:10.132.129.30/50285 dst outside:65.54.152.126/80 by access-group "Internet_access_out" [0x0, 0x0]

I would appreciate any help. Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: ACL question

Mike

What happens if you use the Natted address in your access-list ie x.x.x.207 instead of the 10.132.29.30 address ?

Jon

Green

Re: ACL question

Or apply the acl in interface inside instead.

8 REPLIES
Green

Re: ACL question

So you made it like this...

access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www

and you receive the Deny message above?

New Member

Re: ACL question

yes

Green

Re: ACL question

Well that doesn't make sense does it? Sure that you put "host 10.132.129.30 any" and not "any host 10.132.129.30"? How is the acl applied?

New Member

Re: ACL question

I just changed it to this-

access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www

Here is the error message-

4 Aug 08 2007 12:08:26 106023 10.132.129.30 199.181.132.250 Deny tcp src inside:10.132.129.30/52112 dst outside:199.181.132.250/80 by access-group "Internet_access_out" [0x0, 0x0]

New Member

Re: ACL question

A little more info-

TFBPCiscoASA(config)# sh run access-g

access-group dbadirect_tunnel1_acl in interface outside

access-group Internet_access_out out interface outside

TFBPCiscoASA(config)# sh run static

static (inside,outside) x.x.x.207 10.132.129.30 netmask 255.255.255.255

The static for the proxy is not the outside interface address.

Hall of Fame Super Blue

Re: ACL question

Mike

What happens if you use the Natted address in your access-list ie x.x.x.207 instead of the 10.132.29.30 address ?

Jon

Green

Re: ACL question

Or apply the acl in interface inside instead.

New Member

Re: ACL question

Thank you both for your help. Changing the acl to use the natted address worked.

135
Views
0
Helpful
8
Replies