Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access List not going in order

I have at the end of my access list this rule:

access-list vlan extended deny ip any 10.0.0.0 255.0.0.0

access-list vlan extended permit ip any any

When I implement this at the end, it starts denying everything before it. DNS doesn't work, or email. I would use this so machines in this vlan can access the Internet without using a proxy server, yet still deny access to our internal network, after it provides access to authorized services. Any help would be appreciated.

2 REPLIES
Bronze

Re: Access List not going in order

Hello,

can you show us the entire access list and what a destination IP address is? From the sounds of it your DNS servers may be on the 10.x network.

Also include your nat statements if you can.

Re: Access List not going in order

Where do you apply the ACL, is it on the vlan interface (for vlan segment) to filter anything from inside the vlan segment to go out to any network 10.0.0.0/8?

If your DNS & email servers sit in any network 10.0.0.0, i.e 10.1.1.0/24, that still belongs under network 10.0.0.0/8, then the internal hosts in vlan segment will definitely cannot talk to them.

This may be the reason why your clients on vlan segment cannot access resources sitting in any range under network 10.0.0.0/8, as everything will be block as long as it belongs to 10.0.0.0/8.

But your intention is to bypass Proxy which I assumed sits in any network 10.0.0.0 (any netmask), then byright, it shouldn't affect your DNS & email access, unless of course, if they too, sits in any network 10.0.0.0/x.

Do everything works fine before you add the ACL? For basic ref, your nat/global should be at least:

global (outside) 1 xx.xx.xx.xx ------>public IP, or interface (referring to outside interface IP)

nat (vpn) 1 yy.yy.yy.yy netmask zz.zz.zz.zz

What's the nat/global/static/ACL configuration looks like? Pls remove any public IP or sensitive info.

HTH

AK

104
Views
0
Helpful
2
Replies