Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Is this a valid acl

Is this a valid ACL?

access-list OUTSIDE_access_in extended permit tcp host 160.83.89.0 255.255.255.0 any

If I want to allow this address incoming to any internal address?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Is this a valid acl

Eric

If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.

Jon

7 REPLIES
New Member

Re: Is this a valid acl

I believe no need for keyword host as u permit the /24 subnet and make sure u apply that ACL inbound on the outside interface.

Regards,

Belal

Hall of Fame Super Blue

Re: Is this a valid acl

Eric

When you say this address 160.83.89.0 do you mean the network in which case as previous poster said remove the "host" keyword.

If it is just a particular host then remove the 255.255.255.0 portion of your access-list. BUT 160.83.89.0 cannot be used as a host address, so it's not entirely clear what you are trying to do.

Jon

New Member

Re: Is this a valid acl

I am trying to let in any address from that 160.83.89.0 subnet into my outside interface. Is that possible to do or do I have to get exact IP's of individual PC's in that network range? When it is requested from any of my internal IP's.

Hall of Fame Super Blue

Re: Is this a valid acl

No you can use the subnet address if you want. In that case just remove the "host" keyword from your acl.

It is a rather open rule though. You are saying any host on the 160.83.89.0/24 subnet can access any server on any tcp port.

Also you wrote

"When it is requested from any of my internal IP's."

If this is a stateful firewall you are on then if the connection originated from one of your internal IP's to a host on the 160.83.89.0/24 subnet you don't need the acl rule because the traffic will automatically be let back in.

However if the connection is initiated from the 160.83.89.0/24 network or this is not a stateful firewall you do need the acl.

Jon

New Member

Re: Is this a valid acl

My inside address is a 192.168.5.0 setup, so the traffic would be originating there.

Hall of Fame Super Blue

Re: Is this a valid acl

Eric

If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.

Jon

New Member

Re: Is this a valid acl

Thanks.

140
Views
0
Helpful
7
Replies
CreatePlease to create content