Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

allowing a range of addresses thru the firewall (515e)

Hello,

I have recieved a request to add a block of address to have access through our firewall. Can some help with the syntax for the 'range' command?

The block of ip's needed to pass is 72.164.152.1-254.

Thank you!!

Gary

7 REPLIES

Re: allowing a range of addresses thru the firewall (515e)

Hi,

You can specify range of addresses in ACL - example:

*To allow 72.164.152.1-254 (1 block) for inbound access for www & telnet services

access-list outside permit tcp 72.164.152.0 255.255.255.0 host eq telnet

access-list outside permit tcp 72.164.152.0 255.255.255.0 host eq www

access-list outside permit ip 72.164.152.0 255.255.255.0 host --> allow any access to one host

access-group outside in interface outside

Rgds,

AK

New Member

Re: allowing a range of addresses thru the firewall (515e)

Hi AK,

i'm having the same challenge.

If i'm accessing from outside to inside, don't i have to apply ACL and translation as the rule is saying??? or this ACL is enough to let people from outside (Eth0) to access inside server (eth1)??

BR

Fady

Re: allowing a range of addresses thru the firewall (515e)

Hi Fady,

The mandatory standard rule is to use ACL and static map to enable your internal server to be accessed from internet. ACL itself is not enough, unless if you use NAT 0 (no translation), or if your internal network running on public IP where you need to use "static (inside,outside) xx.xx.xx.xx xx.xx.xx.xx netmask nn.nn.nn.nn

xx.xx.xx.xx - your internal IP/subnet; nn.nn.nn.nn - netmask

Example:

access-list outside permit tcp any host 192.168.1.10 eq www -> allow any host/IP

access-list outside permit ip 172.254.254.0ny host 192.168.1.10 eq www -> allow any host/IP

access-group outside in interface outside

static (inside,outside) 192.168.1.10 10.1.1.5 netmask 255.255.255.255

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1001972

Rgds,

AK

New Member

Re: allowing a range of addresses thru the firewall (515e)

AK,

Does the NAT0 works from outside to inside????

becoz i have a Frame relay network with 8 branches and i want my branches to access my server without nating, can it be done through the firewall???

Re: allowing a range of addresses thru the firewall (515e)

Hi Fady,

Are you using FR over public network (connected via internet), or hosted by ISP which is considered private WAN link?

You can use NAT 0 with ACL to control incoming access via specific TCP/UDP services if your internal network run on public IP (with extra careful).

Allow only specific host, not the whole subnet. Maybe use access-list to define/allow which hosts allowed under nat 0, e.g "nat (inside) 0 access-list xxx", or just "nat (inside) 0 xx.xx.xx.xx nn.nn.nn.nn (nn - netmask).

Rgds,

AK

Re: allowing a range of addresses thru the firewall (515e)

New Member

Re: allowing a range of addresses thru the firewall (515e)

Thanks man

113
Views
5
Helpful
7
Replies
CreatePlease login to create content