internet is working on other machines in different vlans.

Extended IP access list INTERNET_ONLY
10 permit udp any any eq bootps
20 permit udp any any eq domain
30 permit tcp any any eq domain
40 permit tcp any any eq www
50 permit tcp any any eq 443

my question is before apply this ACL, is the internet working in this VLAN ? (we understand other VLAN working)

but we are working not working VLAN right  - so we need some input is that worked ? never worked ?

As stated in other thread the acl should work. 

Are the IPs in the private range and if so has NAT been setup for them on an edge firewall/router ? 

Jon

yes it is.

yes

I would think that acl should work. Perhaps it would be helpful if you would post the running config - or at least from the running config the parts where you configure the acl and where you assign it to an interface.

You tell us that other vlans are working and that is good. But we need to eliminate the possibility that there is a problem with this vlan (perhaps NAT is not correct for this vlan/subnet, or some other issue). So please remove the acl, and test again to verify that Internet access does work from this vlan if acl not applied.

You might consider adding to the acl a permit for icmp - or at least for ping/ping response. This might be helpful in troubleshooting.

If this acl is not working it suggests that something is needed that is not there. To investigate this possibility I suggest these steps:

- make sure that logging is enabled to at least level of informational

- add this line at the bottom of the acl

deny ip any any log

- test Internet access from the PC connected in the vlan

- check the logs for messages indicating what traffic is being denied by the acl

when i removed the ACL from the vlan interface, everything worked.  so maybe this means it is not a nat issue? right now the acl is off.  

i will add the deny ip any any log command at the end of the ACL and see what happens.  thanks Richard!

here is the output from one of the interfaces that is in the 'INTERNET ONLY" vlan.  there may not be anything connected, i don't know.  these are ethernet ports in dorm rooms.  most residents use the wifi, but if they plug in we want the ports to not be able to access our internet resources.

interface GigabitEthernet1/0/21
description DORM ROOM 7
switchport access vlan 99
switchport mode access
end

i removed the ACL from the vlan 99 interface.  if the command would be there, i would type: "ip access-group INTERNET_ONLY in"

interface Vlan99
ip address 10.5.3.251 255.255.255.0
ip helper-address DOMAIN CONTROLLER #1
ip helper-address DOMAIN CONTROLLER #2

here is the config for setting up the internet only ACL

#show access-lists
Extended IP access list INTERNET_ONLY
10 permit udp any any eq bootps
20 permit udp any any eq domain
30 permit tcp any any eq domain
40 permit tcp any any eq www
50 permit tcp any any eq 443

Thanks for the additional information. If you remove the acl and then these devices do have Internet access then that would demonstrate that it is not a NAT issue. It will be very interesting to see the results when you add the deny ip any any log to the acl.

Hi All

Thanks for being patient.  Here is an update.

My  boss said the ACL wasn't working and that he could not get online when physically plugging into any of the ethernet jacks that were in the internet only vlan.  i just went to the location today, and i can get online both before i apply the acl, and after i apply the acl.  i then tried to do some things that would invoke protocols that were blocked like ping, and ssh.  here is the output i got when i walked down the hall and plugged physically into the switch.  

i applied the acl inbound on the vlan interface.  vlan interface 53.  ip address 10.5.3.1.  computers on the vlan get an ip on the 10.5.3.x network.  

any thoughts what is reportedly intermittent network access for users on the internet only vlan?  vlan is up, interface is up.  

also, i reviewed this log and do not see any sensitive info that would compromise my company.  if i am wrong, please tell me.  thanks.

CDT Wed Apr 13 2022
025957: Apr 13 14:25:36: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55711) -> 192.168.x.x(22), 1 packet
025958: Apr 13 14:25:38: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(58445) -> 205.238.10.140(5721), 1 packet
025959: Apr 13 14:25:43: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(58707) -> 192.168.x.x(445), 1 packet
025960: Apr 13 14:26:00: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55719) -> 205.238.10.140(5721), 1 packet
025961: Apr 13 14:26:06: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55718) -> 10.19.199.121(1540), 1 packet
025962: Apr 13 14:26:10: %SEC-6-IPACCESSLOGDP: list INTERNET_ONLY denied icmp 10.5.3.1 -> 10.5.3.251 (8/0), 1 packet
025963: Apr 13 14:26:17: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(58691) -> 205.238.10.140(5721), 1 packet
025964: Apr 13 14:26:19: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55658) -> 205.238.10.140(5721), 1 packet
025965: Apr 13 14:26:36: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied udp 10.5.3.1(60154) -> 172.x.0.164(443), 1 packet
025966: Apr 13 14:26:38: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied udp 10.5.3.1(51589) -> 142.x.x.110(443), 1 packet
025967: Apr 13 14:26:40: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied udp 10.5.3.1(55333) -> 172.x.0.164(443), 1 packet
025968: Apr 13 14:26:43: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55745) -> 205.238.10.140(5721), 1 packet
025969: Apr 13 14:26:49: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 41 packets
025970: Apr 13 14:26:53: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55649) -> 192.168.x.251(135), 1 packet
025971: Apr 13 14:27:10: %SEC-6-IPACCESSLOGDP: list INTERNET_ONLY denied icmp 10.5.3.1 -> 8.8.8.8 (3/3), 1 packet
025972: Apr 13 14:27:14: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55763) -> 205.238.10.140(5721), 1 packet
025973: Apr 13 14:27:19: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55764) -> 205.238.10.140(5721), 1 packet
025974: Apr 13 14:27:24: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied udp 10.5.3.1(54556) -> 239.255.245.2(1900), 1 packet
025975: Apr 13 14:27:33: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55785) -> 205.238.10.140(5721), 1 packet
025976: Apr 13 14:27:35: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55786) -> 192.168.25.65(135), 1 packet
025977: Apr 13 14:27:49: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 92 packets
025978: Apr 13 14:27:54: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55792) -> 205.238.10.140(5721), 1 packet
025979: Apr 13 14:28:16: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55796) -> 192.168.25.65(135), 1 packet
025980: Apr 13 14:28:25: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55797) -> 205.238.10.140(5721), 1 packet
025981: Apr 13 14:28:28: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(58445) -> 205.238.10.140(5721), 1 packet
025982: Apr 13 14:28:31: %SEC-6-IPACCESSLOGP: list INTERNET_ONLY denied tcp 10.5.3.1(55798) -> 205.238.10.140(5721), 1 packet
025983: Apr 13 14:28:49: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 95 packets

At a quick glance, all the denies are valid denies from your lasted posted ACL.

I agree with Joseph that the denies in the log messages are legitimate based on the acl that you posted.

I am puzzled about this statement " i can get online both before i apply the acl, and after i apply the acl." So your experience is that Internet access works (I assume that your Internet access was using HTTP or HTTPS). Your boss says that Internet access does not work. Perhaps you can ask your boss to be specific about what he was attempting to do? (was it something other than HTTP/HTTPS?)

no error message, just no internet access.