Skip to main content

access-list on inside interface trouble

More
18 years 10 months ago #10972 by gl1d33
access-list on inside interface trouble was created by gl1d33
I have a PIX version 7 with the following config
access-list allow_from_inside permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list allow_from_inside deny ip any any
access-group allow_from_inside in interface inside
nat(inside) 1 192.168.10.0 255.255.255.0
global (outside) 1 192.168.100.250

When I apply the follwing access-list on the inside interface,I cannot access the internet. Any idea why?
More
18 years 10 months ago #11091 by rahulpathania
Replied by rahulpathania on topic Re: access-list on inside interface trouble
You have forgotton to add another access rule to allow dns resolution as follows:

access-list allow_from_inside permit udp 192.168.10.0 255.255.255.0 any eq 53

Hope this fixes the issue.


Regards,
Rahul Pathania...!!!
Empowering the Internet generation
More
18 years 10 months ago #11119 by RedRanger
Replied by RedRanger on topic Re: access-list on inside interface trouble
O lord, ACLs. I am so sick of those. I had to do a whole bunch of those in CCNA 2.
RedRanger

"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."

Be Awesome
More
18 years 10 months ago #11155 by sahirh
Replied by sahirh on topic Re: access-list on inside interface trouble
I would suggest you specifically allow DNS traffic *ONLY* to your DNS server... that's a better written firewall rule, otherwise you've got a bit of a loophole going there.

In other words, provide the DNS server address in the permit rule.

Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.122 seconds