Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

acl configuration on a 6500 firewall

Hi all

I require assistance with configuring an acl on a 6500 firewall inbound interface so a host can access only specific server ip ranges within other sites

eg: server addresses 192.168.x.20 to 192.168.x.35 - 0.0.255.15

if anyone has experience with this type of configuration could you kindly advise

cheers

1 REPLY
Hall of Fame Super Blue

Re: acl configuration on a 6500 firewall

Hi

fwsm(config)# object-group network servers

fwsm(config-network)# network-object host 192.168.x.20

fwsm(config-network)#network-object host 192.168.x.21

... etc.

fwsm(config-network)# network-object host 192.168.x.35

fwsm(config)# access-list restrict permit ip host x.x.x.x object-group servers

fswm(config)# access-group restrict in interface "fw interface"

Couple of things to be aware of

1) You may need NAT translations depending on whether you are using NAT and the security levels of your interfaces.

2) Every access-list has an implicit deny at the end so make sure you add in any other access to the "restrict" acl before applying it.

3) The access-list says permit ip but you could tie this down to more specific tcp and udp ports.

HTH

Jon

108
Views
0
Helpful
1
Replies