https://community.cisco.com/t5/network-security/access-to-internet/m-p/1911915#M458425 <HTML><HEAD></HEAD><BODY><P>HiEduardo,</P><P></P><P>I will try to explain it via an example:</P><P></P><P>INSIDE(172.16.0.0/24) ----- (172.16.0.1) ASA (1.1.1.1) ----- Internet ----- Google(200.200.200.1)</P><P></P><P>If users from INSIDE wants to hit internet they will be going through the a PAT on the interface. I am right?</P><P>So if you are adding access-list in OUT direction:</P><P></P><P>access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any</P><P>access-group OUT out interface outside</P><P></P><P> then their is an implicit deny which will deny your natted IP 1.1.1.1. So thats why you cannot reach to internet. </P><P>Use packet-tracer to confirm.</P><P></P><P>So the best option will be allow specfic private addresses on INSIDE interface</P><P></P><P>Regard,</P><P>Adesh</P></BODY></HTML> Wed, 07 Mar 2012 19:43:08 GMT Adesh Gairola 2012-03-07T19:43:08Z https://community.cisco.com/t5/network-security/access-to-internet/m-p/1911913#M458423 <P>Good morning,</P><P></P><P>I have been configuring a cisco ASA 5520, everything is working fine but when i create an ACL: </P><P></P><P>access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any</P><P>access-group OUT out interface outside</P><P></P><P>i added ports like www or 443 and it is not working to Internet access</P><P></P><P>a router is before to my firewall connected to my headquater, i can see my private networks but i cannot able to reach Internet access,</P><P></P><P>could you please help me?</P><P></P><P>thanks.</P> Mon, 11 Mar 2019 22:39:12 GMT https://community.cisco.com/t5/network-security/access-to-internet/m-p/1911913#M458423 Julio E. Moisa 2019-03-11T22:39:12Z https://community.cisco.com/t5/network-security/access-to-internet/m-p/1911914#M458424 <HTML><HEAD></HEAD><BODY><P>Hello Eduardo,</P><P></P><P></P><P>What about the Nat statements, can you provide your Configuration so we can check it.</P><P></P><P>Regards,</P><P></P><P>Julio</P></BODY></HTML> Wed, 07 Mar 2012 17:37:02 GMT https://community.cisco.com/t5/network-security/access-to-internet/m-p/1911914#M458424 Julio Carvajal 2012-03-07T17:37:02Z https://community.cisco.com/t5/network-security/access-to-internet/m-p/1911915#M458425 <HTML><HEAD></HEAD><BODY><P>HiEduardo,</P><P></P><P>I will try to explain it via an example:</P><P></P><P>INSIDE(172.16.0.0/24) ----- (172.16.0.1) ASA (1.1.1.1) ----- Internet ----- Google(200.200.200.1)</P><P></P><P>If users from INSIDE wants to hit internet they will be going through the a PAT on the interface. I am right?</P><P>So if you are adding access-list in OUT direction:</P><P></P><P>access-list OUT extended permit ip 172.16.x.x 255.255.255.0 any</P><P>access-group OUT out interface outside</P><P></P><P> then their is an implicit deny which will deny your natted IP 1.1.1.1. So thats why you cannot reach to internet. </P><P>Use packet-tracer to confirm.</P><P></P><P>So the best option will be allow specfic private addresses on INSIDE interface</P><P></P><P>Regard,</P><P>Adesh</P></BODY></HTML> Wed, 07 Mar 2012 19:43:08 GMT https://community.cisco.com/t5/network-security/access-to-internet/m-p/1911915#M458425 Adesh Gairola 2012-03-07T19:43:08Z https://community.cisco.com/t5/network-security/access-to-internet/m-p/1911916#M458430 <HTML><HEAD></HEAD><BODY><P>I hope it is same as below,</P><P></P><P>inside----ASA----router---internet.</P><P></P><P>Allow DNS with http and 443 and it is better to apply access-list on the inside interface IN direction rather than applying on outside interface out direction</P><P></P><P>Thnaks</P></BODY></HTML> Wed, 07 Mar 2012 19:58:06 GMT https://community.cisco.com/t5/network-security/access-to-internet/m-p/1911916#M458430 jack samuel 2012-03-07T19:58:06Z