Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Need ACL Help

I posted this on the 501 help but I am not 15 posts in and still no help so I am re-posting.

I have a several devices that I am using from my pix. However I can't seem to prevent HTTP access to a Spcific Public IP Address. This is what I have.

name P.P.P.P Outside ** Public IP Address

object-group network Tac

network-object host X.X.X.X

network-object host X.X.X.X

network-object host X.X.X.X

access-list outside_in permit tcp object-group Tac host Outside eq www

access-list outside_in permit tcp object-group Tac host Outside eq htt

ps

access-list outside_in permit tcp object-group Tac host Outside eq tel

net

access-list outside_in permit tcp object-group Tac host Outside eq ssh

static (inside,outside) Outside Inside netmask 255.255.255.255 0 0

** I do not want HTTP Access to this Public Device.

Thanks

Gabrielle

3 REPLIES
Green

Re: Need ACL Help

So what you are saying is you can access P.P.P.P/http from ip addresses other than those defined in object-group Tac?

Also, how are you testing this? Are you coming from outside the pix or from the inside?

New Member

Re: Need ACL Help

From the outside of the pix.

New Member

Re: Need ACL Help

i assume the access-list outside_in is applied on the outside interface on inwards direction. And you have a server which is reachable from internet on port 80.

If you do not want to permit port 80 access apart from Tac add a deny entry towards this public IP from any source.

access-list outside_in extended deny tcp any host Outside eq 80

Hope this helps.

95
Views
0
Helpful
3
Replies
CreatePlease to create content