05-07-2009 09:26 AM - edited 03-06-2019 05:36 AM
Hi,
to be able to connect to one of my servers in my LAN from the WAN interface, I created static NAT translations. After setting up these translations, I created my firewall configuration. Everything works fine. However, I want to limit the access from the WAN to the local server to a few specified hosts. If I'm right, this should be possible using ACLs. The firewall configuration in SDM indicates for the static NAT translations 'Permit Firewall'. If I select 'Permit ACL' there, I cannot reach the particular server from outside anymore. I checked the ACLs in SDM and found out that there is only one 'Firewall ACL', which consists of 'invalid IP addresses'. This ACL is automatically created by SDM. How can I specify in my router (using SDM) to allow only a few specified to hosts to connect to the server?
05-10-2009 04:21 AM
Hello Rick,
what you need is to create an ACL that will be applied to the lan interface
the acl needs to contain lines like (let's suppose is applied inbound and for http = tcp 80)
access-list 120 permit tcp host web-server-private-address eq 80 host permitted-host
add multiple lines one for each permitted host
then you need a deny statement
access-list 120 deny tcp host web-server-private-address eq 80 any
then you can permit other traffic
Hope to help
Giuseppe
05-10-2009 11:05 AM
Hi Giuseppe,
thanks for your reply! Your explanation is totally clear to me. Thanks for that. Could you also tell me how to do this using SDM v2.5? I already explained some details about this in my first post. If you want to know something more, please let me know!
Regards,
Rick
05-10-2009 09:16 PM
Giuseppe,
to be more complete, you'll have to know the following: in SDM only the following three options can be chosen for a firewall rule: 1) "Permit Firewall", 2) "Permit ACL", 3) "Drop". If I want to limit the access from outside zone to inside zone to specified hosts, I expect to need to use the "Permit ACL" option. I checked in "ACL Editor" option in the "Additional tasks" section (where I can edit ACLs), but there's only one ACL defined (by SDM itself) for the firewall. I would expect to create a new one here, but in the firewall section I cannot choose a particular ACL to be used when "Permit ACL" is chosen.
I hope this clarifies things...
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide