Is this a valid acl

Answered Question
Jun 26th, 2008

Is this a valid ACL?

access-list OUTSIDE_access_in extended permit tcp host 160.83.89.0 255.255.255.0 any

If I want to allow this address incoming to any internal address?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 5 months ago

Eric

If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
balsheikh Thu, 06/26/2008 - 09:50

I believe no need for keyword host as u permit the /24 subnet and make sure u apply that ACL inbound on the outside interface.

Regards,

Belal

Jon Marshall Thu, 06/26/2008 - 13:40

Eric

When you say this address 160.83.89.0 do you mean the network in which case as previous poster said remove the "host" keyword.

If it is just a particular host then remove the 255.255.255.0 portion of your access-list. BUT 160.83.89.0 cannot be used as a host address, so it's not entirely clear what you are trying to do.

Jon

ericluoma Fri, 06/27/2008 - 04:39

I am trying to let in any address from that 160.83.89.0 subnet into my outside interface. Is that possible to do or do I have to get exact IP's of individual PC's in that network range? When it is requested from any of my internal IP's.

Jon Marshall Fri, 06/27/2008 - 08:27

No you can use the subnet address if you want. In that case just remove the "host" keyword from your acl.

It is a rather open rule though. You are saying any host on the 160.83.89.0/24 subnet can access any server on any tcp port.

Also you wrote

"When it is requested from any of my internal IP's."

If this is a stateful firewall you are on then if the connection originated from one of your internal IP's to a host on the 160.83.89.0/24 subnet you don't need the acl rule because the traffic will automatically be let back in.

However if the connection is initiated from the 160.83.89.0/24 network or this is not a stateful firewall you do need the acl.

Jon

ericluoma Fri, 06/27/2008 - 08:30

My inside address is a 192.168.5.0 setup, so the traffic would be originating there.

Correct Answer
Jon Marshall Fri, 06/27/2008 - 08:37

Eric

If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.

Jon

Actions

This Discussion