- Posts: 1
- Thank you received: 0
access-list on inside interface trouble
19 years 1 month ago #10972
by gl1d33
access-list on inside interface trouble was created by gl1d33
I have a PIX version 7 with the following config
access-list allow_from_inside permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list allow_from_inside deny ip any any
access-group allow_from_inside in interface inside
nat(inside) 1 192.168.10.0 255.255.255.0
global (outside) 1 192.168.100.250
When I apply the follwing access-list on the inside interface,I cannot access the internet. Any idea why?
access-list allow_from_inside permit tcp 192.168.10.0 255.255.255.0 any eq www
access-list allow_from_inside deny ip any any
access-group allow_from_inside in interface inside
nat(inside) 1 192.168.10.0 255.255.255.0
global (outside) 1 192.168.100.250
When I apply the follwing access-list on the inside interface,I cannot access the internet. Any idea why?
- rahulpathania
- Offline
- New Member
Less
More
- Posts: 10
- Thank you received: 0
19 years 1 month ago #11091
by rahulpathania
Replied by rahulpathania on topic Re: access-list on inside interface trouble
You have forgotton to add another access rule to allow dns resolution as follows:
access-list allow_from_inside permit udp 192.168.10.0 255.255.255.0 any eq 53
Hope this fixes the issue.
Regards,
Rahul Pathania...!!!
Empowering the Internet generation
access-list allow_from_inside permit udp 192.168.10.0 255.255.255.0 any eq 53
Hope this fixes the issue.
Regards,
Rahul Pathania...!!!
Empowering the Internet generation
19 years 1 month ago #11119
by RedRanger
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
Replied by RedRanger on topic Re: access-list on inside interface trouble
O lord, ACLs. I am so sick of those. I had to do a whole bunch of those in CCNA 2.
RedRanger
"I'd Rather You Hate Me For Everything I Am Than Love Me For Something I'm Not."
Be Awesome
19 years 1 month ago #11155
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: access-list on inside interface trouble
I would suggest you specifically allow DNS traffic *ONLY* to your DNS server... that's a better written firewall rule, otherwise you've got a bit of a loophole going there.
In other words, provide the DNS server address in the permit rule.
Cheers,
In other words, provide the DNS server address in the permit rule.
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.130 seconds