Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
3
Replies

Limiting access from WAN to LAN server

rick.hofstede
Level 1
Level 1

‎05-07-2009 09:26 AM - edited ‎03-06-2019 05:36 AM

Hi,

to be able to connect to one of my servers in my LAN from the WAN interface, I created static NAT translations. After setting up these translations, I created my firewall configuration. Everything works fine. However, I want to limit the access from the WAN to the local server to a few specified hosts. If I'm right, this should be possible using ACLs. The firewall configuration in SDM indicates for the static NAT translations 'Permit Firewall'. If I select 'Permit ACL' there, I cannot reach the particular server from outside anymore. I checked the ACLs in SDM and found out that there is only one 'Firewall ACL', which consists of 'invalid IP addresses'. This ACL is automatically created by SDM. How can I specify in my router (using SDM) to allow only a few specified to hosts to connect to the server?

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-10-2009 04:21 AM

Hello Rick,

what you need is to create an ACL that will be applied to the lan interface

the acl needs to contain lines like (let's suppose is applied inbound and for http = tcp 80)

access-list 120 permit tcp host web-server-private-address eq 80 host permitted-host

add multiple lines one for each permitted host

then you need a deny statement

access-list 120 deny tcp host web-server-private-address eq 80 any

then you can permit other traffic

Hope to help

Giuseppe

0 Helpful

rick.hofstede
Level 1
Level 1
In response to Giuseppe Larosa

‎05-10-2009 11:05 AM

Hi Giuseppe,

thanks for your reply! Your explanation is totally clear to me. Thanks for that. Could you also tell me how to do this using SDM v2.5? I already explained some details about this in my first post. If you want to know something more, please let me know!

Regards,

Rick

0 Helpful

rick.hofstede
Level 1
Level 1
In response to rick.hofstede

‎05-10-2009 09:16 PM

Giuseppe,

to be more complete, you'll have to know the following: in SDM only the following three options can be chosen for a firewall rule: 1) "Permit Firewall", 2) "Permit ACL", 3) "Drop". If I want to limit the access from outside zone to inside zone to specified hosts, I expect to need to use the "Permit ACL" option. I checked in "ACL Editor" option in the "Additional tasks" section (where I can edit ACLs), but there's only one ACL defined (by SDM itself) for the firewall. I would expect to create a new one here, but in the firewall section I cannot choose a particular ACL to be used when "Permit ACL" is chosen.

I hope this clarifies things...

Rick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card