cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
531
Views
0
Helpful
18
Replies
wavess
Beginner

Internet Only ACL - gets good IP but no web access

Hi All

 

Second post on here.  

 

trying to create an ACL for internet only.  

applied it inbound to the vlan interface.  

pcs get good ip, dns, and gateway.  

pcs cannot get on the web. (www traffic)

 

I read up on this and thought this ACL was correct, but I am having problems at two locations.  

 

maybe I can run wire shark on something to figure out what is happening, or show logs at some point?

 

the access ports are on a cisco catalyst 9200 switch.  the vlan interface is on a distribution switch that the access switch is uplinked to.  

 

i'm probably missing some output you might need...please advise!  I'm new to this stuff.  any thoughts would be appreciated.  sorry if this is so basic.

 

Extended IP access list INTERNET_ONLY
10 permit udp any any eq bootps
20 permit udp any any eq domain
30 permit tcp any any eq domain
40 permit tcp any any eq www
50 permit tcp any any eq 443

1 ACCEPTED SOLUTION

Accepted Solutions
wavess
Beginner

Richard, Joseph, Kasun, Jon, Balaji.  

 

Thank you to all of you.  I am posting this as the accepted solution.  I do not know what I did to make this work, because nothing really changed.  Perhaps my boss was doing something wrong when he was checking for internet connectivity on ports in the internet only vlan.  

 

The ACL is applied inbound on the vlan interface using the access-group in command.  the ACL is created in global config and is listed below.  hopefully this helps someone else.  Thanks again!

 

ACL:

Extended IP access list INTERNET_ONLY
10 permit udp any any eq bootps
20 permit udp any any eq domain
30 permit tcp any any eq domain
40 permit tcp any any eq www
50 permit tcp any any eq 443

View solution in original post

18 REPLIES 18
balaji.bandi
VIP Guru

Is the internet working before you apply  ACL on the interface ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

internet is working on other machines in different vlans.

Extended IP access list INTERNET_ONLY
10 permit udp any any eq bootps
20 permit udp any any eq domain
30 permit tcp any any eq domain
40 permit tcp any any eq www
50 permit tcp any any eq 443

my question is before apply this ACL, is the internet working in this VLAN ? (we understand other VLAN working)

 

but we are working not working VLAN right  - so we need some input is that worked ? never worked ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jon Marshall
VIP Community Legend

 

As stated in other thread the acl should work. 

 

Are the IPs in the private range and if so has NAT been setup for them on an edge firewall/router ? 

 

Jon

yes it is.

yes

Kasun Bandara
VIP Advocate

what is the error message in web browser?

Please rate this and mask as answer, if this resolved your issue
Good luck
KB

I would think that acl should work. Perhaps it would be helpful if you would post the running config - or at least from the running config the parts where you configure the acl and where you assign it to an interface.

You tell us that other vlans are working and that is good. But we need to eliminate the possibility that there is a problem with this vlan (perhaps NAT is not correct for this vlan/subnet, or some other issue). So please remove the acl, and test again to verify that Internet access does work from this vlan if acl not applied.

You might consider adding to the acl a permit for icmp - or at least for ping/ping response. This might be helpful in troubleshooting.

If this acl is not working it suggests that something is needed that is not there. To investigate this possibility I suggest these steps:

- make sure that logging is enabled to at least level of informational

- add this line at the bottom of the acl

deny ip any any log

- test Internet access from the PC connected in the vlan

- check the logs for messages indicating what traffic is being denied by the acl

HTH

Rick