https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357592#M308943 <HTML><HEAD></HEAD><BODY><P> Julio</P><P>Did you see this question I also asked?</P><P></P><P>One other thing I want to do is to deny the inside network 192.168.223.0 to access any other addr except the vendor addr of&nbsp; 208.40.10.149. What is the proper acl to do that?</P></BODY></HTML> Fri, 15 Nov 2013 14:31:42 GMT john.wright 2013-11-15T14:31:42Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357584#M308931 <P>We have a site that requires access to a single outside address.&nbsp;&nbsp; </P><P>No access is required outside to inside.</P><P>This inside does require certain ports to accessed whcih are listed configed in the attached config.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>We are unable to access the vendor at the 94.94.94.3 on any port.</P><P>Do we need to code an acl to allow the ports to be accessed both ways as shown in this object-group service rfguns_tcp tcp?</P><P>All of the devices are on the 192.168.223.0 network</P><P>If an acl is needed what would it be?</P><P>Any help appreciated.</P><P>Thanks</P> Tue, 12 Mar 2019 03:05:08 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357584#M308931 john.wright 2019-03-12T03:05:08Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357585#M308934 <HTML><HEAD></HEAD><BODY><P> woops, sent wrong attachment. this is the actual config. the vendor IP is not the 94.94.94.3. it as as reflected in the config.</P></BODY></HTML> Thu, 14 Nov 2013 20:09:33 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357585#M308934 john.wright 2013-11-14T20:09:33Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357586#M308935 <HTML><HEAD></HEAD><BODY><P>Please point out what is the source interface and what is the IP address that you are testing from so I can give you an example packet-tracer and simulate traffic. <SPAN __jive_emoticon_name="laugh" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P></BODY></HTML> Thu, 14 Nov 2013 21:03:13 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357586#M308935 jumora 2013-11-14T21:03:13Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357587#M308938 <HTML><HEAD></HEAD><BODY><P>So the vendor IP is&nbsp; 208.40.10.149????? RIght?</P><P></P><P>If that is the case.then you are allowing this traffic to it:</P><P></P><P>object-group service rfguns_tcp tcp </P><P> description allow mprodigy access to rf guns </P><P> port-object eq 9001 </P><P> port-object eq 9004 </P><P> port-object eq 9008 </P><P> port-object eq 9009 </P><P> port-object eq www </P><P> port-object eq https </P><P>object-group service rfguns_udp udp </P><P> description allowmprodigy access ti rf guns </P><P> port-object eq 9002</P><P></P><P></P><P></P><P>Add the following:</P><P><STRONG>no route inside 0.0.0.0 255.255.255.0 192.168.223.254 </STRONG></P><P></P><P>On which port are you connecting, from which IP address. </P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Thu, 14 Nov 2013 22:33:33 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357587#M308938 Julio Carvajal 2013-11-14T22:33:33Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357588#M308939 <HTML><HEAD></HEAD><BODY><P>Thank you much for responding. </P><P>Yes the vendor is 208.40.10.149.</P><P>All the inside addr range 192.168.223.0 needs to be able to access on the tcp ports listed in </P><P>object-group service rfguns_tcp tcp </P><P>and the one udp port in the config. rfguns_udp udp</P></BODY></HTML> Fri, 15 Nov 2013 12:08:04 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357588#M308939 john.wright 2013-11-15T12:08:04Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357589#M308940 <HTML><HEAD></HEAD><BODY><P> Jumora</P><P>The inside is 192.168.223.0, the outside addr is 12.163.226.3 and the vendor addr we are trying to access on all the ports is 208.40.10.149.</P></BODY></HTML> Fri, 15 Nov 2013 12:11:14 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357589#M308940 john.wright 2013-11-15T12:11:14Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357590#M308941 <HTML><HEAD></HEAD><BODY><P> Julio</P><P>One other thing I want to do is to deny the inside network 192.168.223.0 to access any other addr except the vendor addr of&nbsp; 208.40.10.149. What is the proper acl to do that?</P><P></P><P>FYI</P><P>Removing the route is what made this work and making sure the gateway which is the inside addr of the FW was present in the IP config.</P><P>I will rate it.</P><P>Thanks</P></BODY></HTML> Fri, 15 Nov 2013 13:22:57 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357590#M308941 john.wright 2013-11-15T13:22:57Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357591#M308942 <HTML><HEAD></HEAD><BODY><P>That's it <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN></P><P></P><P>Glad to know I could help</P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Fri, 15 Nov 2013 13:39:55 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357591#M308942 Julio Carvajal 2013-11-15T13:39:55Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357592#M308943 <HTML><HEAD></HEAD><BODY><P> Julio</P><P>Did you see this question I also asked?</P><P></P><P>One other thing I want to do is to deny the inside network 192.168.223.0 to access any other addr except the vendor addr of&nbsp; 208.40.10.149. What is the proper acl to do that?</P></BODY></HTML> Fri, 15 Nov 2013 14:31:42 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357592#M308943 john.wright 2013-11-15T14:31:42Z https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357593#M308944 <HTML><HEAD></HEAD><BODY><P>You are already doing it <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN></P><P></P><P>WIth the configuration you have you are allowing traffic to only that IP address.</P><P></P><P></P><P>Rate all of the helpful posts!!! <BR /> <BR />Regards, <BR /> <BR />Jcarvaja <BR /> <BR /><SPAN>Follow me on </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Fri, 15 Nov 2013 14:41:50 GMT https://community.cisco.com/t5/network-security/inside-to-outside-access/m-p/2357593#M308944 Julio Carvajal 2013-11-15T14:41:50Z