acl configuration on a 6500 firewall

Unanswered Question
Apr 19th, 2007
User Badges:

Hi all


I require assistance with configuring an acl on a 6500 firewall inbound interface so a host can access only specific server ip ranges within other sites


eg: server addresses 192.168.x.20 to 192.168.x.35 - 0.0.255.15


if anyone has experience with this type of configuration could you kindly advise


cheers

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 04/19/2007 - 23:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


fwsm(config)# object-group network servers

fwsm(config-network)# network-object host 192.168.x.20

fwsm(config-network)#network-object host 192.168.x.21

... etc.

fwsm(config-network)# network-object host 192.168.x.35




fwsm(config)# access-list restrict permit ip host x.x.x.x object-group servers


fswm(config)# access-group restrict in interface "fw interface"


Couple of things to be aware of


1) You may need NAT translations depending on whether you are using NAT and the security levels of your interfaces.

2) Every access-list has an implicit deny at the end so make sure you add in any other access to the "restrict" acl before applying it.

3) The access-list says permit ip but you could tie this down to more specific tcp and udp ports.


HTH


Jon


Actions

This Discussion