Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
214
Views
0
Helpful
3
Replies

ACL Question

Go to solution
dcanady55
Level 1
Level 1

‎04-10-2014 06:09 AM - edited ‎03-04-2019 10:45 PM

Hello,

 

I'm trying to do the following scenario.

 

I have a device inside our network that I only want to be able to talk to one specific public IP address outside our network. We use do use NAT so setting up a basic extended ACL is a little tricky for me. I was hoping someone could provide me with some direction. I want to allow any IP through between these two addresses only. 

 

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dcanady55

‎04-10-2014 10:43 AM

The acl is applied inbound on the LAN interface so it does not affect traffic going out to the LAN, only traffic coming from the LAN.

So when the internal host sends traffic outbound to the external host the first line in the acl permits it.

When the external host sends traffic back to the internal host the acl is not checked because the traffic is going out of the LAN interface to the internal host.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-10-2014 07:17 AM

if you NAT all your source IPs (including that host) to the same public IP address it would be better to do it before the NAT happens eg -

client = 192.168.5.10

outside public IP = 195.66.10.5

access-list 101 permit ip host 192.168.5.10 host 195.66.10.5

access-list 101 deny ip host 192.168.5.10 any

access-list 101 permit ip any any

int <int/num>  <-- this is the inside interface of your router

ip access-group 101 in

Jon

0 Helpful

Go to solution
dcanady55
Level 1
Level 1
In response to Jon Marshall

‎04-10-2014 07:17 AM

Hi Jon,

I understand the config except for the 2nd line "access-list 101 deny ip host 192.168.5.10 any" I need both addresses to be able to talk with each other wouldn't this not allow communication back to the inside host?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dcanady55

‎04-10-2014 10:43 AM

The acl is applied inbound on the LAN interface so it does not affect traffic going out to the LAN, only traffic coming from the LAN.

So when the internal host sends traffic outbound to the external host the first line in the acl permits it.

When the external host sends traffic back to the internal host the acl is not checked because the traffic is going out of the LAN interface to the internal host.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card