https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946805#M917633 <HTML><HEAD></HEAD><BODY><P>Eric</P><P></P><P>If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.</P><P></P><P>Jon</P></BODY></HTML> Fri, 27 Jun 2008 15:37:23 GMT Jon Marshall 2008-06-27T15:37:23Z https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946799#M917622 <P>Is this a valid ACL?</P><P>access-list OUTSIDE_access_in extended permit tcp host 160.83.89.0 255.255.255.0 any</P><P></P><P>If I want to allow this address incoming to any internal address?</P> Mon, 11 Mar 2019 13:05:44 GMT https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946799#M917622 ericluoma 2019-03-11T13:05:44Z https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946800#M917626 <HTML><HEAD></HEAD><BODY><P></P><P>I believe no need for keyword host as u permit the /24 subnet and make sure u apply that ACL inbound on the outside interface.</P><P></P><P>Regards,</P><P>Belal</P></BODY></HTML> Thu, 26 Jun 2008 16:50:42 GMT https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946800#M917626 balsheikh 2008-06-26T16:50:42Z https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946801#M917629 <HTML><HEAD></HEAD><BODY><P>Eric</P><P></P><P>When you say this address 160.83.89.0 do you mean the network in which case as previous poster said remove the "host" keyword.</P><P></P><P>If it is just a particular host then remove the 255.255.255.0 portion of your access-list. BUT 160.83.89.0 cannot be used as a host address, so it's not entirely clear what you are trying to do.</P><P></P><P>Jon</P></BODY></HTML> Thu, 26 Jun 2008 20:40:58 GMT https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946801#M917629 Jon Marshall 2008-06-26T20:40:58Z https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946802#M917630 <HTML><HEAD></HEAD><BODY><P>I am trying to let in any address from that 160.83.89.0 subnet into my outside interface. Is that possible to do or do I have to get exact IP's of individual PC's in that network range? When it is requested from any of my internal IP's.</P></BODY></HTML> Fri, 27 Jun 2008 11:39:09 GMT https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946802#M917630 ericluoma 2008-06-27T11:39:09Z https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946803#M917631 <HTML><HEAD></HEAD><BODY><P>No you can use the subnet address if you want. In that case just remove the "host" keyword from your acl.</P><P></P><P>It is a rather open rule though. You are saying any host on the 160.83.89.0/24 subnet can access any server on any tcp port. </P><P></P><P>Also you wrote </P><P></P><P>"When it is requested from any of my internal IP's."</P><P></P><P>If this is a stateful firewall you are on then if the connection originated from one of your internal IP's to a host on the 160.83.89.0/24 subnet you don't need the acl rule because the traffic will automatically be let back in.</P><P></P><P>However if the connection is initiated from the 160.83.89.0/24 network or this is not a stateful firewall you do need the acl.</P><P></P><P>Jon</P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Fri, 27 Jun 2008 15:27:01 GMT https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946803#M917631 Jon Marshall 2008-06-27T15:27:01Z https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946804#M917632 <HTML><HEAD></HEAD><BODY><P>My inside address is a 192.168.5.0 setup, so the traffic would be originating there.</P></BODY></HTML> Fri, 27 Jun 2008 15:30:17 GMT https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946804#M917632 ericluoma 2008-06-27T15:30:17Z https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946805#M917633 <HTML><HEAD></HEAD><BODY><P>Eric</P><P></P><P>If all the connections are originated from a 192.168.5.x address AND the device you are on is a stateful firewall you do not need to explicitily allow the return traffic back in with an acl.</P><P></P><P>Jon</P></BODY></HTML> Fri, 27 Jun 2008 15:37:23 GMT https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946805#M917633 Jon Marshall 2008-06-27T15:37:23Z https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946806#M917634 <HTML><HEAD></HEAD><BODY><P>Thanks.</P></BODY></HTML> Fri, 27 Jun 2008 15:39:20 GMT https://community.cisco.com/t5/network-security/is-this-a-valid-acl/m-p/946806#M917634 ericluoma 2008-06-27T15:39:20Z