Outside ACL

iholdings · ‎01-16-2004

Greetings,

I'm attempting to allow a specific outside address SSL access to any host on our inside network. I have ACLs

access-list outside_acl permit tcp <outsidehostIP> <insidehostIP> eq <port>

For most entries, but how do I construct an ACL to allow the single outside host access to any inside host on eq 443? When I designate the access inside to "any" or 0.0.0.0 0.0.0.0, it won't accept the ACL.

I guess I'm missing something.

Thanks.

bfl1 · ‎01-16-2004

One outside address allowed access to an inside server via SSL.

Outside address being granted access: 12.12.12.12

Inside PUBLIC address of server hosting SSL: 11.11.11.11

Inside PRIVATE address of server hosting SSL: 10.10.10.1

static(inside,outside) 11.11.11.11 10.10.10.1

access-list outside-coming-in permit tcp host 12.12.12.12 host 11.11.11.11 eq 443

access-group outside-coming-in in interface outside

You need to have a static mapping for the inside server that will be accessed. If the server is in the DMZ:

static(dmz,outside) 11.11.11.11 10.10.10.1

access-list outside-coming-in permit tcp host 12.12.12.12 host 11.11.11.11 eq 443

access-group outside-coming-in in interface dmz

iholdings · ‎01-20-2004

Thanks. I gather from your reply that a one to many relationship is not possible. I have many acls as you've described for access to single inside hosts.

bfl1 · ‎01-20-2004

One to many? I'm not sure what you mean by that... you can grant multiple addresses access to one server:

access-list inbound permit tcp any 12.12.12.12 eq 443

or

access-list inbound permit tcp 128.0.0.0 255.0.0.0 host 12.12.12.12 eq 443

or

access-list inbound permit tcp any any eq 443

or

access-list inbound permit tcp host 204.11.2.1 any eq 443