access-list vlan extended deny ip any 10.0.0.0 255.0.0.0
access-list vlan extended permit ip any any
When I implement this at the end, it starts denying everything before it. DNS doesn't work, or email. I would use this so machines in this vlan can access the Internet without using a proxy server, yet still deny access to our internal network, after it provides access to authorized services. Any help would be appreciated.
Where do you apply the ACL, is it on the vlan interface (for vlan segment) to filter anything from inside the vlan segment to go out to any network 10.0.0.0/8?
If your DNS & email servers sit in any network 10.0.0.0, i.e 10.1.1.0/24, that still belongs under network 10.0.0.0/8, then the internal hosts in vlan segment will definitely cannot talk to them.
This may be the reason why your clients on vlan segment cannot access resources sitting in any range under network 10.0.0.0/8, as everything will be block as long as it belongs to 10.0.0.0/8.
But your intention is to bypass Proxy which I assumed sits in any network 10.0.0.0 (any netmask), then byright, it shouldn't affect your DNS & email access, unless of course, if they too, sits in any network 10.0.0.0/x.
Do everything works fine before you add the ACL? For basic ref, your nat/global should be at least:
global (outside) 1 xx.xx.xx.xx ------>public IP, or interface (referring to outside interface IP)
nat (vpn) 1 yy.yy.yy.yy netmask zz.zz.zz.zz
What's the nat/global/static/ACL configuration looks like? Pls remove any public IP or sensitive info.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...