My current config has NO access-lists or access-groups. Client machines have no internet - expected.
If I add the following lines...... access-list INBOUND permit icmp any any access-list INBOUND deny tcp any any access-list INBOUND deny ip any any access-group INBOUND in interface outside
.... then my client machines suddenly have icmp out (expected), but they also have http/dns/smtp (ie ALL) out.
What access rules can I add, so that clients have icmp out, but nothing else?
Thanks Nick
tcp is a subset of ip, so the tcp line is redundant. There is a default deny at the end of every access-list, so all trailing deny statements are redundant.
It is relatively tricky to create a restricted VPN without using at least two access-list . What are your static, nat, and global commands, and what IP pool are you allocating to your clients?
The statement above would allow ICMP return from the inside but also you have a DENY statement that would block anything from coming in, especially in the order you have stated (remove "access-list INBOUND deny tcp any any" as it is redundant). I would say that something significant in your config, that you have not posted is causing Internet Access for the client machine.
You would need to post your config up here so we can take a better look.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.