cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
608
Views
0
Helpful
7
Replies

Is this a valid acl

ericluoma
Level 1
Level 1

Is this a valid ACL?

access-list OUTSIDE_access_in extended permit tcp host 160.83.89.0 255.255.255.0 any

If I want to allow this address incoming to any internal address?

1 Accepted Solution

Accepted Solutions

Eric

If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.

Jon

View solution in original post

7 Replies 7

balsheikh
Level 1
Level 1

I believe no need for keyword host as u permit the /24 subnet and make sure u apply that ACL inbound on the outside interface.

Regards,

Belal

Jon Marshall
Hall of Fame
Hall of Fame

Eric

When you say this address 160.83.89.0 do you mean the network in which case as previous poster said remove the "host" keyword.

If it is just a particular host then remove the 255.255.255.0 portion of your access-list. BUT 160.83.89.0 cannot be used as a host address, so it's not entirely clear what you are trying to do.

Jon

I am trying to let in any address from that 160.83.89.0 subnet into my outside interface. Is that possible to do or do I have to get exact IP's of individual PC's in that network range? When it is requested from any of my internal IP's.

No you can use the subnet address if you want. In that case just remove the "host" keyword from your acl.

It is a rather open rule though. You are saying any host on the 160.83.89.0/24 subnet can access any server on any tcp port.

Also you wrote

"When it is requested from any of my internal IP's."

If this is a stateful firewall you are on then if the connection originated from one of your internal IP's to a host on the 160.83.89.0/24 subnet you don't need the acl rule because the traffic will automatically be let back in.

However if the connection is initiated from the 160.83.89.0/24 network or this is not a stateful firewall you do need the acl.

Jon

My inside address is a 192.168.5.0 setup, so the traffic would be originating there.

Eric

If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.

Jon

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: