acl configuration on a 6500 firewall

Unanswered Question
Apr 19th, 2007
User Badges:

Hi all

I require assistance with configuring an acl on a 6500 firewall inbound interface so a host can access only specific server ip ranges within other sites

eg: server addresses 192.168.x.20 to 192.168.x.35 -

if anyone has experience with this type of configuration could you kindly advise


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 04/19/2007 - 23:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


fwsm(config)# object-group network servers

fwsm(config-network)# network-object host 192.168.x.20

fwsm(config-network)#network-object host 192.168.x.21

... etc.

fwsm(config-network)# network-object host 192.168.x.35

fwsm(config)# access-list restrict permit ip host x.x.x.x object-group servers

fswm(config)# access-group restrict in interface "fw interface"

Couple of things to be aware of

1) You may need NAT translations depending on whether you are using NAT and the security levels of your interfaces.

2) Every access-list has an implicit deny at the end so make sure you add in any other access to the "restrict" acl before applying it.

3) The access-list says permit ip but you could tie this down to more specific tcp and udp ports.




This Discussion