cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
257
Views
0
Helpful
2
Replies

nat with acl

nacertified
Level 1
Level 1

hello

We are using cisco ASA-5520.

our inside hosts are resolved using nat (inside)1 command.

Public ip is configured globally on the outside interface.Now in this scenario i want to allow only www service to the inside hosts.For this purpose what type of acl should be used , on what interface and on what direction

ur quick response will be highly appreciated.

2 Replies 2

hoogen_82
Level 4
Level 4

You config should include this

access-list inside_access_in extended permit tcp x.x.x.x y.y.y.y any eq www

access-list inside_access_in extended permit tcp x.x.x.x y.y.y.y any eq https

access-group inside_access_in in interface inside

Where x.x.x.x would be you inside hosts network address. Do modify x.x.x.x accordingly.

The access list is applied on the inside interface in the inbound direction so all coming inside would be checked for the access-list. Remember that there is an implicit deny statement, so if you want to permit any other traffic through the inside interface do allow it using another access-list.

HTH

Hoogen

Do rate if i have helped :)

kaachary
Cisco Employee
Cisco Employee

Hi,

If you are talking abt Inside Web Servers to be accessible from Internet, then you need to put an ACL on Outside Interface to allow www traffic.

If you are talking about the inside hosts going out to Internet, then you have to put an ACL on Inside Interface allowing www and denying everything else.

HTH,

-Kanishka

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: