Is this a valid acl

Answered Question
Jun 26th, 2008
User Badges:

Is this a valid ACL?

access-list OUTSIDE_access_in extended permit tcp host 160.83.89.0 255.255.255.0 any


If I want to allow this address incoming to any internal address?

Correct Answer by Jon Marshall about 8 years 9 months ago

Eric


If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
balsheikh Thu, 06/26/2008 - 09:50
User Badges:


I believe no need for keyword host as u permit the /24 subnet and make sure u apply that ACL inbound on the outside interface.


Regards,

Belal

Jon Marshall Thu, 06/26/2008 - 13:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Eric


When you say this address 160.83.89.0 do you mean the network in which case as previous poster said remove the "host" keyword.


If it is just a particular host then remove the 255.255.255.0 portion of your access-list. BUT 160.83.89.0 cannot be used as a host address, so it's not entirely clear what you are trying to do.


Jon

ericluoma Fri, 06/27/2008 - 04:39
User Badges:

I am trying to let in any address from that 160.83.89.0 subnet into my outside interface. Is that possible to do or do I have to get exact IP's of individual PC's in that network range? When it is requested from any of my internal IP's.

Jon Marshall Fri, 06/27/2008 - 08:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No you can use the subnet address if you want. In that case just remove the "host" keyword from your acl.


It is a rather open rule though. You are saying any host on the 160.83.89.0/24 subnet can access any server on any tcp port.


Also you wrote


"When it is requested from any of my internal IP's."


If this is a stateful firewall you are on then if the connection originated from one of your internal IP's to a host on the 160.83.89.0/24 subnet you don't need the acl rule because the traffic will automatically be let back in.


However if the connection is initiated from the 160.83.89.0/24 network or this is not a stateful firewall you do need the acl.


Jon






ericluoma Fri, 06/27/2008 - 08:30
User Badges:

My inside address is a 192.168.5.0 setup, so the traffic would be originating there.

Correct Answer
Jon Marshall Fri, 06/27/2008 - 08:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Eric


If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.


Jon

Actions

This Discussion