Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Limiting access from WAN to LAN server


to be able to connect to one of my servers in my LAN from the WAN interface, I created static NAT translations. After setting up these translations, I created my firewall configuration. Everything works fine. However, I want to limit the access from the WAN to the local server to a few specified hosts. If I'm right, this should be possible using ACLs. The firewall configuration in SDM indicates for the static NAT translations 'Permit Firewall'. If I select 'Permit ACL' there, I cannot reach the particular server from outside anymore. I checked the ACLs in SDM and found out that there is only one 'Firewall ACL', which consists of 'invalid IP addresses'. This ACL is automatically created by SDM. How can I specify in my router (using SDM) to allow only a few specified to hosts to connect to the server?

Hall of Fame Super Silver

Re: Limiting access from WAN to LAN server

Hello Rick,

what you need is to create an ACL that will be applied to the lan interface

the acl needs to contain lines like (let's suppose is applied inbound and for http = tcp 80)

access-list 120 permit tcp host web-server-private-address eq 80 host permitted-host

add multiple lines one for each permitted host

then you need a deny statement

access-list 120 deny tcp host web-server-private-address eq 80 any

then you can permit other traffic

Hope to help


New Member

Re: Limiting access from WAN to LAN server

Hi Giuseppe,

thanks for your reply! Your explanation is totally clear to me. Thanks for that. Could you also tell me how to do this using SDM v2.5? I already explained some details about this in my first post. If you want to know something more, please let me know!



New Member

Re: Limiting access from WAN to LAN server


to be more complete, you'll have to know the following: in SDM only the following three options can be chosen for a firewall rule: 1) "Permit Firewall", 2) "Permit ACL", 3) "Drop". If I want to limit the access from outside zone to inside zone to specified hosts, I expect to need to use the "Permit ACL" option. I checked in "ACL Editor" option in the "Additional tasks" section (where I can edit ACLs), but there's only one ACL defined (by SDM itself) for the firewall. I would expect to create a new one here, but in the firewall section I cannot choose a particular ACL to be used when "Permit ACL" is chosen.

I hope this clarifies things...


CreatePlease login to create content