https://community.cisco.com/t5/network-security/acl/m-p/1245599#M818270 <HTML><HEAD></HEAD><BODY><P>Thx for ur help buddy......</P></BODY></HTML> Thu, 10 Sep 2009 09:40:52 GMT gandhi.ganesh 2009-09-10T09:40:52Z https://community.cisco.com/t5/network-security/acl/m-p/1245595#M818156 <P>Three questions:</P><P>1. I need to allow internet for inside users say(ports 80,443)which interface i need to apply the acl &amp; has what?</P><P>2. I need to access the FTP server in internet from one particular system in inside say(system ip 192.168.100.25 &amp; ftp 216.87.172.x)what will be the acl &amp; which interface we need to apply.</P><P>3. let say i have natted one inside system with public IP i have to access this system thru rdp(port 3389) from internet. what is the acl &amp; where we need to apply?</P> Mon, 11 Mar 2019 16:14:10 GMT https://community.cisco.com/t5/network-security/acl/m-p/1245595#M818156 gandhi.ganesh 2019-03-11T16:14:10Z https://community.cisco.com/t5/network-security/acl/m-p/1245596#M818199 <HTML><HEAD></HEAD><BODY><P>Gandhi,</P><P></P><P>To answer your questions:-</P><P></P><P>1) No acl is requried - all traffic is allowed from the inside to the outside by default</P><P></P><P>2) See 1</P><P></P><P>3) Your acl would read something like:-</P><P></P><P>access-list outside-in permit tcp any host &lt;<STATIC outside="" ip="">&gt; eq 3389</STATIC></P><P>access-group outside-in in interface outside</P><P></P><P>HTH&gt;</P></BODY></HTML> Thu, 10 Sep 2009 08:26:21 GMT https://community.cisco.com/t5/network-security/acl/m-p/1245596#M818199 andrew.prince 2009-09-10T08:26:21Z https://community.cisco.com/t5/network-security/acl/m-p/1245597#M818231 <HTML><HEAD></HEAD><BODY><P>Hi Andrew,</P><P>my second question was :</P><P>As a security policy we will not allow ftp access to any users to outside only </P><P>ondemand we will provide the access.</P><P>ex: inside subnet(192.168.100.0/24) </P><P>user who needs the access(192.168.100.50)</P><P>third party FTP server(216.87.X.X)</P><P></P><P>how is the ACL should look?</P></BODY></HTML> Thu, 10 Sep 2009 09:21:29 GMT https://community.cisco.com/t5/network-security/acl/m-p/1245597#M818231 gandhi.ganesh 2009-09-10T09:21:29Z https://community.cisco.com/t5/network-security/acl/m-p/1245598#M818254 <HTML><HEAD></HEAD><BODY><P>based on your original post, and the last posting my acl would look something like:-</P><P></P><P>access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP</P><P>access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS</P><P>access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server</P><P>access-list inside-out permit udp any any eq 53 - inside DNS</P><P>access-list inside-out permit icmp any any - for troubleshooting IP connectivity</P><P>access-list inside-out deny ip any any log - log all deny access from inside out.</P><P></P><P>access-group inside-out in interface inside</P><P></P><P>I would re-write my original outside acl to</P><P></P><P>access-list outside-in extended permit icmp any any echo-reply</P><P>access-list outside-in extended permit icmp any any unreachable</P><P>access-list outside-inextended permit icmp any any traceroute</P><P>access-list outside-in extended permit icmp any any time-exceeded</P><P>access-list outside-in permit tcp any host &lt;<STATIC outside="" ip="">&gt; eq 3389</STATIC></P><P>access-group outside-in in interface outside </P><P></P><P>HTH&gt;</P></BODY></HTML> Thu, 10 Sep 2009 09:32:47 GMT https://community.cisco.com/t5/network-security/acl/m-p/1245598#M818254 andrew.prince 2009-09-10T09:32:47Z https://community.cisco.com/t5/network-security/acl/m-p/1245599#M818270 <HTML><HEAD></HEAD><BODY><P>Thx for ur help buddy......</P></BODY></HTML> Thu, 10 Sep 2009 09:40:52 GMT https://community.cisco.com/t5/network-security/acl/m-p/1245599#M818270 gandhi.ganesh 2009-09-10T09:40:52Z https://community.cisco.com/t5/network-security/acl/m-p/1245600#M818279 <HTML><HEAD></HEAD><BODY><P>sure - np glad to help</P></BODY></HTML> Thu, 10 Sep 2009 09:58:25 GMT https://community.cisco.com/t5/network-security/acl/m-p/1245600#M818279 andrew.prince 2009-09-10T09:58:25Z