nat with acl

Unanswered Question
Feb 25th, 2007


We are using cisco ASA-5520.

our inside hosts are resolved using nat (inside)1 command.

Public ip is configured globally on the outside interface.Now in this scenario i want to allow only www service to the inside hosts.For this purpose what type of acl should be used , on what interface and on what direction

ur quick response will be highly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hoogen_82 Sun, 02/25/2007 - 05:48

You config should include this

access-list inside_access_in extended permit tcp x.x.x.x y.y.y.y any eq www

access-list inside_access_in extended permit tcp x.x.x.x y.y.y.y any eq https

access-group inside_access_in in interface inside

Where x.x.x.x would be you inside hosts network address. Do modify x.x.x.x accordingly.

The access list is applied on the inside interface in the inbound direction so all coming inside would be checked for the access-list. Remember that there is an implicit deny statement, so if you want to permit any other traffic through the inside interface do allow it using another access-list.



Do rate if i have helped :)

kaachary Sun, 02/25/2007 - 05:48


If you are talking abt Inside Web Servers to be accessible from Internet, then you need to put an ACL on Outside Interface to allow www traffic.

If you are talking about the inside hosts going out to Internet, then you have to put an ACL on Inside Interface allowing www and denying everything else.




This Discussion