Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Access List

I would like to allow an inside IP that is not in the permit acl's to access the following website IP addresses

xxx.xxx.xx.170

xxx.xxx.xx.150

Another engineer added the two access list at the end but I don't think they are much help. If anyone can assist me with this I would deeply appreciate it.

access-list outgoing extended permit ip host 192.168.1.210 any

access-list outgoing extended permit ip host 192.168.1.211 any

access-list outgoing extended permit ip host 192.168.1.212 any

access-list outgoing extended permit ip host 192.168.1.213 any

access-list outgoing extended permit ip host 192.168.1.214 any

access-list outgoing extended permit ip host 192.168.1.215 any

access-list outgoing extended permit ip host 192.168.1.216 any

access-list outgoing extended permit ip host 192.168.1.217 any

access-list outgoing extended permit ip host 192.168.1.218 any

access-list outgoing extended permit ip host 192.168.1.219 any

access-list outgoing extended permit ip host 192.168.1.220 any

access-list outgoing extended permit ip host 192.168.1.12 any

access-list outgoing extended permit ip any host xxx.xxx.xx.170

access-list outgoing extended permit ip any host xxx.xxx.xxx.150

7 REPLIES
Hall of Fame Super Blue

Re: Access List

Hi

Well it's a bit open if you only want http to be allowed out ie.

access-list outgoing extended permit tcp host "inside ip" host xxx.xxx.xx.170 eq www

access-list outgoing extended permit tcp host "inside ip" host xxx.xxx.xxx.150 eq www

However this is not your main problem. Are you Natting your internal IP addresses to a publically routable address ?

Jon

Community Member

Re: Access List

Yes

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

Hall of Fame Super Blue

Re: Access List

Can you post the correspondin global statements.

In fact it would help if you could post the full config minus any sensitive information.

Jon

Community Member

Re: Access List

I have attached the config

Hall of Fame Super Blue

Re: Access List

Config looks okay, what is the source IP address you are trying to go from.

When you try to connect to that address what do you see in the xlate table - "sh xlate"

Jon

Community Member

Re: Access List

192.168.1.107

Silver

Re: Access List

to make sure I understand correctly, you want an inside host, 10.1.1.10 (example) to access the public IP address?

Is this correct?

What host to what address on what ports?

This is how the ACL will read.

As stated by jon you will see this in the xlate table and the traffic going outbound will use the global IP. If you have a static NAT set-up for the public IP and have an access list set-up for access to that private IP via the NAT, wow that sounded confusing, then you will need to make sure that it is not specific and allows any to access the site.

now clear as mud right?

176
Views
0
Helpful
7
Replies
CreatePlease to create content