Im hungover and cant think today..... HELP!!

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Could you fine people help me as im being a little thick today.....

Branch site has 877 router and VPNs into an ASA at their main site (remote network 192.168.120.0)
The requirement:
Deny Internet access for IP's 192.168.123.1 & 192.168.123.2
Permit access to Log Me In servers (ACL entries 10 to 15)
Allow all others full outbound access

The ACL below is applied to the dialer 0 interface outbound....
Extended IP access list BLOCK_INTERNET
10 permit tcp any 74.201.72.0 0.0.3.255
11 permit tcp any 216.52.233.0 0.0.0.255
12 permit tcp any 69.25.20.0 0.0.3.255
13 permit tcp any 64.94.18.0 0.0.0.255
14 permit tcp any 77.242.192.0 0.0.3.255
15 permit tcp any 212.118.234.0 0.0.0.255
18 permit tcp any 82.x.x.x 0.0.0.7
20 deny tcp host 192.168.123.1 any eq www
21 deny tcp host 192.168.123.2 any eq www
22 deny tcp host 192.168.123.1 any eq 443
23 deny tcp host 192.168.123.2 any eq 443
30 permit tcp any any (1357 matches)
31 permit udp any any (136 matches)
32 permit ip any any (21 matches)

If i dont have 32 permit ip any any on the end then i cannot ping the remote PC'd from the main site! i tried a few variations using the source network address etc but didnt work.

I am hungover today and this isnt my final hour but hope someone can feel pity for me and help out!

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

you haven't got a line to enable ICMP...

 

The list now looks like this

Extended IP access list INET_BLOCK
10 permit tcp any 74.201.72.0 0.0.3.255
11 permit tcp any 216.52.233.0 0.0.0.255
12 permit tcp any 69.25.20.0 0.0.3.255
13 permit tcp any 64.94.18.0 0.0.0.255
14 permit tcp any 77.242.192.0 0.0.3.255
15 permit tcp any 212.118.234.0 0.0.0.255
18 permit tcp any x.x.x.x x.x.x.x
20 deny tcp host 192.168.123.1 any eq www
21 deny tcp host 192.168.123.2 any eq www
22 deny tcp host 192.168.123.1 any eq 443
23 deny tcp host 192.168.123.2 any eq 443
30 permit tcp any any (2883 matches)
31 permit udp any any (34 matches)
33 permit icmp any any (235 matches)

The ACL is now assigned to the vlan1 outbound direction.

As you can see with the 'matches' statement, if i go onto the internet on the PC with 192.168.123.1 its still works? its like it is not picking up the source IP?

Has anyone got any ideas?? im sure i have missed something basic!?

Cheers
Jon

 

you have a 3 day hangover?

 

It cleared up on friday night then with a drinking session saturday night into sunday morning and then guns & roses concert last night, i shouldnt actually be alive!!!

 

Surely you should have it on VLAN 1 inbound? outbound VLAN 1 source IP will be the internet sites you are going to.

 

er....... its now fixed.... :-/