Limiting access from WAN to LAN server

Unanswered Question
May 7th, 2009


to be able to connect to one of my servers in my LAN from the WAN interface, I created static NAT translations. After setting up these translations, I created my firewall configuration. Everything works fine. However, I want to limit the access from the WAN to the local server to a few specified hosts. If I'm right, this should be possible using ACLs. The firewall configuration in SDM indicates for the static NAT translations 'Permit Firewall'. If I select 'Permit ACL' there, I cannot reach the particular server from outside anymore. I checked the ACLs in SDM and found out that there is only one 'Firewall ACL', which consists of 'invalid IP addresses'. This ACL is automatically created by SDM. How can I specify in my router (using SDM) to allow only a few specified to hosts to connect to the server?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Sun, 05/10/2009 - 04:21

Hello Rick,

what you need is to create an ACL that will be applied to the lan interface

the acl needs to contain lines like (let's suppose is applied inbound and for http = tcp 80)

access-list 120 permit tcp host web-server-private-address eq 80 host permitted-host

add multiple lines one for each permitted host

then you need a deny statement

access-list 120 deny tcp host web-server-private-address eq 80 any

then you can permit other traffic

Hope to help


rick.hofstede Sun, 05/10/2009 - 11:05

Hi Giuseppe,

thanks for your reply! Your explanation is totally clear to me. Thanks for that. Could you also tell me how to do this using SDM v2.5? I already explained some details about this in my first post. If you want to know something more, please let me know!



rick.hofstede Sun, 05/10/2009 - 21:16


to be more complete, you'll have to know the following: in SDM only the following three options can be chosen for a firewall rule: 1) "Permit Firewall", 2) "Permit ACL", 3) "Drop". If I want to limit the access from outside zone to inside zone to specified hosts, I expect to need to use the "Permit ACL" option. I checked in "ACL Editor" option in the "Additional tasks" section (where I can edit ACLs), but there's only one ACL defined (by SDM itself) for the firewall. I would expect to create a new one here, but in the firewall section I cannot choose a particular ACL to be used when "Permit ACL" is chosen.

I hope this clarifies things...



This Discussion