Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL Question

Hello,

 

I'm trying to do the following scenario.

 

I have a device inside our network that I only want to be able to talk to one specific public IP address outside our network. We use do use NAT so setting up a basic extended ACL is a little tricky for me. I was hoping someone could provide me with some direction. I want to allow any IP through between these two addresses only. 

 

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

The acl is applied inbound on

The acl is applied inbound on the LAN interface so it does not affect traffic going out to the LAN, only traffic coming from the LAN.

So when the internal host sends traffic outbound to the external host the first line in the acl permits it.

When the external host sends traffic back to the internal host the acl is not checked because the traffic is going out of the LAN interface to the internal host.

Jon

3 REPLIES
Hall of Fame Super Blue

if you NAT all your source

if you NAT all your source IPs (including that host) to the same public IP address it would be better to do it before the NAT happens eg -

client = 192.168.5.10

outside public IP = 195.66.10.5

access-list 101 permit ip host 192.168.5.10 host 195.66.10.5

access-list 101 deny ip host 192.168.5.10 any

access-list 101 permit ip any any

int <int/num>  <-- this is the inside interface of your router

ip access-group 101 in

Jon

New Member

Hi Jon,I understand the

Hi Jon,

I understand the config except for the 2nd line "access-list 101 deny ip host 192.168.5.10 any" I need both addresses to be able to talk with each other wouldn't this not allow communication back to the inside host?

Hall of Fame Super Blue

The acl is applied inbound on

The acl is applied inbound on the LAN interface so it does not affect traffic going out to the LAN, only traffic coming from the LAN.

So when the internal host sends traffic outbound to the external host the first line in the acl permits it.

When the external host sends traffic back to the internal host the acl is not checked because the traffic is going out of the LAN interface to the internal host.

Jon

48
Views
0
Helpful
3
Replies
CreatePlease to create content