Internet Routing IP isolation - cannot figure it out

Jeffrey_233 · ‎11-16-2023

Hi All

Network setup before my time and all traffic was routed via a proxy.
We upgraded our firewalls and now don't need the old proxy.
However our switches still have ACL's on them while we migrate to the FW.

I'm struggling to find the right IP to internet.
Currently I"m doing a

permit ip 10.10.11.250/32 any

What i have tried in place of the above.
But still get nothing.

permit ip 10.10.11.250/32 10.86.10.1/32
permit ip 10.10.11.250/32 10.10.10.0/23
permit ip 10.10.11.250/32 10.81.220.0/24

From my DC cores I have done a

show ip route 10.10.11.250
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>

10.10.10.0/23, ubest/mbest: 1/0
    *via 10.86.10.1, [1/0], 4w1d, static

What am i missing?

Richard Burts · ‎11-16-2023

The drawing does give us an idea of your environment. But I am not clear what you are really asking. It seems to be about access lists. But what kind of acl, on which device, and what do you want it to do?

HTH

Rick

Jeffrey_233 · ‎11-16-2023

Hey @Richard Burts

I'm trying allow internet to the 10.10.11.250.
But not with an any rule.
Because then all my post acls are irrelevant, which i cannot have.

I'm trying to get to

permit ip 10.10.11.250 x.x.x.x eq 443
permit ip 10.10.11.250 x.x.x.x eq www

trying with the above I don't get a connection using the any destination.

Richard Burts · ‎11-16-2023

If the issue is that 10.10.11.250 does not have Internet access my first question is are you sure that it is an issue with access lists? Is it possible that the device does not have a correct default gateway? Is it possible that there is not a correct Network Address Translation entry for that address?

If you traceroute (or tracert depending on OS) how far does it get?

HTH

Rick

MHM Cisco World · ‎11-16-2023

I am too dont get it what issue here

Jeffrey_233 · ‎11-19-2023

default gateway is 10.10.10.1 as it's a /23
NAT is in place
On the acl's icmp is set to

permit icmp any any

if i do a ping to 8.8.8.8 it does complete to google.

I would expect that the below would get me internet?

permit tcp 10.10.11.250/32 10.86.10.4/32 eq 443
permit tcp 10.10.11.250/32 10.86.10.4/32 eq www

But it only works if i do

permit ip 10.10.11.250/32 any

Richard Burts · ‎11-20-2023

Thanks for the update. If it only works if you permit "any" it suggests that something else is required - DNS comes to mind. Try adding a specific permit for DNS and tell us the result.

HTH

Rick

MHM Cisco World · ‎11-20-2023

Can I see NAT rule you use ?

Jeffrey_233 · ‎11-20-2023

Hey all
DNS is going to my Domain Controllers a few ACL's before.
Which does all seem to work.

permit udp any eq bootps any eq bootps
permit udp 10.10.10.0/23 10.10.110.27/32 eq domain
permit tcp 10.10.10.0/23 10.10.110.27/32 eq domain

I now have gotten it to work with, after chatting to a friend.

permit tcp 10.10.11.250/32 any eq 443
permit tcp 10.10.11.250/32 any eq www

I would have though i could have put in the layer3 IP address.
to get internet out?

permit tcp 10.10.11.250/32 10.86.10.4/32 eq 443
permit tcp 10.10.11.250/32 10.86.10.4/32 eq www

My friend says it need to be

any

the whole scope is being NAT'ed out, on the firewall.