Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access List not going in order

I have at the end of my access list this rule:

access-list vlan extended deny ip any

access-list vlan extended permit ip any any

When I implement this at the end, it starts denying everything before it. DNS doesn't work, or email. I would use this so machines in this vlan can access the Internet without using a proxy server, yet still deny access to our internal network, after it provides access to authorized services. Any help would be appreciated.


Re: Access List not going in order


can you show us the entire access list and what a destination IP address is? From the sounds of it your DNS servers may be on the 10.x network.

Also include your nat statements if you can.

Re: Access List not going in order

Where do you apply the ACL, is it on the vlan interface (for vlan segment) to filter anything from inside the vlan segment to go out to any network

If your DNS & email servers sit in any network, i.e, that still belongs under network, then the internal hosts in vlan segment will definitely cannot talk to them.

This may be the reason why your clients on vlan segment cannot access resources sitting in any range under network, as everything will be block as long as it belongs to

But your intention is to bypass Proxy which I assumed sits in any network (any netmask), then byright, it shouldn't affect your DNS & email access, unless of course, if they too, sits in any network

Do everything works fine before you add the ACL? For basic ref, your nat/global should be at least:

global (outside) 1 xx.xx.xx.xx ------>public IP, or interface (referring to outside interface IP)

nat (vpn) 1 yy.yy.yy.yy netmask zz.zz.zz.zz

What's the nat/global/static/ACL configuration looks like? Pls remove any public IP or sensitive info.