11-01-2006 10:19 AM - edited 02-20-2020 09:38 PM
I have at the end of my access list this rule:
access-list vlan extended deny ip any 10.0.0.0 255.0.0.0
access-list vlan extended permit ip any any
When I implement this at the end, it starts denying everything before it. DNS doesn't work, or email. I would use this so machines in this vlan can access the Internet without using a proxy server, yet still deny access to our internal network, after it provides access to authorized services. Any help would be appreciated.
11-01-2006 12:15 PM
Hello,
can you show us the entire access list and what a destination IP address is? From the sounds of it your DNS servers may be on the 10.x network.
Also include your nat statements if you can.
11-02-2006 05:14 AM
Where do you apply the ACL, is it on the vlan interface (for vlan segment) to filter anything from inside the vlan segment to go out to any network 10.0.0.0/8?
If your DNS & email servers sit in any network 10.0.0.0, i.e 10.1.1.0/24, that still belongs under network 10.0.0.0/8, then the internal hosts in vlan segment will definitely cannot talk to them.
This may be the reason why your clients on vlan segment cannot access resources sitting in any range under network 10.0.0.0/8, as everything will be block as long as it belongs to 10.0.0.0/8.
But your intention is to bypass Proxy which I assumed sits in any network 10.0.0.0 (any netmask), then byright, it shouldn't affect your DNS & email access, unless of course, if they too, sits in any network 10.0.0.0/x.
Do everything works fine before you add the ACL? For basic ref, your nat/global should be at least:
global (outside) 1 xx.xx.xx.xx ------>public IP, or interface (referring to outside interface IP)
nat (vpn) 1 yy.yy.yy.yy netmask zz.zz.zz.zz
What's the nat/global/static/ACL configuration looks like? Pls remove any public IP or sensitive info.
HTH
AK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: