02-25-2007 05:24 AM
hello
We are using cisco ASA-5520.
our inside hosts are resolved using nat (inside)1 command.
Public ip is configured globally on the outside interface.Now in this scenario i want to allow only www service to the inside hosts.For this purpose what type of acl should be used , on what interface and on what direction
ur quick response will be highly appreciated.
02-25-2007 05:48 AM
You config should include this
access-list inside_access_in extended permit tcp x.x.x.x y.y.y.y any eq www
access-list inside_access_in extended permit tcp x.x.x.x y.y.y.y any eq https
access-group inside_access_in in interface inside
Where x.x.x.x would be you inside hosts network address. Do modify x.x.x.x accordingly.
The access list is applied on the inside interface in the inbound direction so all coming inside would be checked for the access-list. Remember that there is an implicit deny statement, so if you want to permit any other traffic through the inside interface do allow it using another access-list.
HTH
Hoogen
Do rate if i have helped :)
02-25-2007 05:48 AM
Hi,
If you are talking abt Inside Web Servers to be accessible from Internet, then you need to put an ACL on Outside Interface to allow www traffic.
If you are talking about the inside hosts going out to Internet, then you have to put an ACL on Inside Interface allowing www and denying everything else.
HTH,
-Kanishka
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: