Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow traffic inside to outside


One Host on inside network needs to access customized application hosted on Internet. Its a customized application run on port 80, 443, 5000-to-50020

How do I allow this host access for this specific application. I got ASA 5510 and host is in the inside network, we also got an ACL on inside interface to have control.

Host IP on inside network  -

Application to access - 74.219.x.x

Inside ACL name - inside-acl




Allow traffic inside to outside

Well, by default, all traffic from a higher security-level interface is allowed access to a lower-security level interface, unless there is a specific entry in an ACL that is blocking it.

If you have to include an entry in the "inside-acl" to get it out, I would do the following

object-group service CustApp tcp

port-object 80

port-object 443

port-object range 5000 50020

access-list inside-acl permit tcp host object-group service CustApp

I think that's right. I sometimes have to use the ? mark to help me out, I'm winging this without an ASA handy.

New Member

Allow traffic inside to outside

Thanks John

what happens if the host access access public website ( port 80 ) ; will it be blocked

can i restrict bandwidth for this host to use 256kbps max for this connection (in/out)



Allow traffic inside to outside

The host should be able to acess the public website just fine, unless there are entries in your ACLs that are

preventing it from doing so. As far as restricting based on traffic, I'm sure you could do some sort of traffic polcing

or QoS for that specific host, but I have no idea how. I've never done that on an ASA before, so I don't want to tell

you wrong.

New Member

Allow traffic inside to outside

Hi John

I want internal host to talk to external host 74.219.x.x on port 80, 443,5000 50020 only.  Traffic initiated from host to any other host on internet should be blocked.



Allow traffic inside to outside

I would apply this to the inside interface. Now, I have no idea what specific entries you have on

your inside access list, so I'll write it, as if it's a brand new configuration.

access-list inside_access_in permit tcp host obect-group service Ports

access-list inside_access_in deny ip host any

access-list inside_access_in permit ip any any

access-group inside_access_in in interface inside

This will allow host tcp access to 74.219.x.x on the specific ports, then all other IP traffic

will be denied via the next line. Then you will have a permit ip any any at the end. That way everything else

is wide open outbound.