https://community.cisco.com/t5/network-security/acl-question/m-p/742015#M982838 <HTML><HEAD></HEAD><BODY><P>Or apply the acl in interface inside instead.</P></BODY></HTML> Wed, 08 Aug 2007 15:24:03 GMT acomiskey 2007-08-08T15:24:03Z https://community.cisco.com/t5/network-security/acl-question/m-p/742008#M982831 <P>I have an acl to get all users out to the internet- </P><P></P><P>access-list Internet_access_out tcp_group_internet_access</P><P>access-list Internet_access_out extended permit tcp any any object-group internet_test </P><P>access-list Internet_access_out extended permit tcp any any eq www </P><P>access-list Internet_access_out extended permit tcp any any eq domain </P><P>access-list Internet_access_out extended permit tcp any any eq https </P><P>access-list Internet_access_out extended permit tcp any any eq ftp </P><P>access-list Internet_access_out extended permit tcp any any eq citrix-ica </P><P>access-list Internet_access_out extended permit tcp any any range 2095 2095 </P><P>access-list Internet_access_out extended permit tcp any any range 9100 9100 </P><P></P><P>When I change the source (any) to the ip address of the proxy server, I get an error message.</P><P></P><P>4 Aug 08 2007 09:25:29 106023 10.132.129.30 65.54.152.126 Deny tcp src inside:10.132.129.30/50285 dst outside:65.54.152.126/80 by access-group "Internet_access_out" [0x0, 0x0]</P><P></P><P>I would appreciate any help. Thanks.</P> Mon, 11 Mar 2019 10:55:17 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/742008#M982831 mike.feeney 2019-03-11T10:55:17Z https://community.cisco.com/t5/network-security/acl-question/m-p/742009#M982832 <HTML><HEAD></HEAD><BODY><P>So you made it like this...</P><P></P><P>access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www </P><P></P><P>and you receive the Deny message above?</P><P></P></BODY></HTML> Wed, 08 Aug 2007 14:43:15 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/742009#M982832 acomiskey 2007-08-08T14:43:15Z https://community.cisco.com/t5/network-security/acl-question/m-p/742010#M982833 <HTML><HEAD></HEAD><BODY><P>yes</P></BODY></HTML> Wed, 08 Aug 2007 14:49:48 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/742010#M982833 mike.feeney 2007-08-08T14:49:48Z https://community.cisco.com/t5/network-security/acl-question/m-p/742011#M982834 <HTML><HEAD></HEAD><BODY><P>Well that doesn't make sense does it? Sure that you put "host 10.132.129.30 any" and not "any host 10.132.129.30"? How is the acl applied?</P></BODY></HTML> Wed, 08 Aug 2007 14:54:12 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/742011#M982834 acomiskey 2007-08-08T14:54:12Z https://community.cisco.com/t5/network-security/acl-question/m-p/742012#M982835 <HTML><HEAD></HEAD><BODY><P>I just changed it to this-</P><P></P><P>access-list Internet_access_out extended permit tcp host 10.132.129.30 any eq www</P><P></P><P>Here is the error message- </P><P></P><P>4 Aug 08 2007 12:08:26 106023 10.132.129.30 199.181.132.250 Deny tcp src inside:10.132.129.30/52112 dst outside:199.181.132.250/80 by access-group "Internet_access_out" [0x0, 0x0] </P></BODY></HTML> Wed, 08 Aug 2007 15:06:01 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/742012#M982835 mike.feeney 2007-08-08T15:06:01Z https://community.cisco.com/t5/network-security/acl-question/m-p/742013#M982836 <HTML><HEAD></HEAD><BODY><P>A little more info-</P><P></P><P>TFBPCiscoASA(config)# sh run access-g</P><P>access-group dbadirect_tunnel1_acl in interface outside</P><P>access-group Internet_access_out out interface outside</P><P>TFBPCiscoASA(config)# sh run static</P><P>static (inside,outside) x.x.x.207 10.132.129.30 netmask 255.255.255.255</P><P></P><P>The static for the proxy is not the outside interface address.</P></BODY></HTML> Wed, 08 Aug 2007 15:16:14 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/742013#M982836 mike.feeney 2007-08-08T15:16:14Z https://community.cisco.com/t5/network-security/acl-question/m-p/742014#M982837 <HTML><HEAD></HEAD><BODY><P>Mike </P><P></P><P>What happens if you use the Natted address in your access-list ie x.x.x.207 instead of the 10.132.29.30 address ?</P><P></P><P>Jon</P></BODY></HTML> Wed, 08 Aug 2007 15:18:39 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/742014#M982837 Jon Marshall 2007-08-08T15:18:39Z https://community.cisco.com/t5/network-security/acl-question/m-p/742015#M982838 <HTML><HEAD></HEAD><BODY><P>Or apply the acl in interface inside instead.</P></BODY></HTML> Wed, 08 Aug 2007 15:24:03 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/742015#M982838 acomiskey 2007-08-08T15:24:03Z https://community.cisco.com/t5/network-security/acl-question/m-p/742016#M982839 <HTML><HEAD></HEAD><BODY><P>Thank you both for your help. Changing the acl to use the natted address worked. </P></BODY></HTML> Wed, 08 Aug 2007 15:28:28 GMT https://community.cisco.com/t5/network-security/acl-question/m-p/742016#M982839 mike.feeney 2007-08-08T15:28:28Z