https://community.cisco.com/t5/network-security/access-list/m-p/878955#M957702 <HTML><HEAD></HEAD><BODY><P>to make sure I understand correctly, you want an inside host, 10.1.1.10 (example) to access the public IP address?</P><P>Is this correct?</P><P></P><P>What host to what address on what ports?</P><P>This is how the ACL will read.</P><P>As stated by jon you will see this in the xlate table and the traffic going outbound will use the global IP. If you have a static NAT set-up for the public IP and have an access list set-up for access to that private IP via the NAT, wow that sounded confusing, then you will need to make sure that it is not specific and allows any to access the site.</P><P></P><P>now clear as mud right?</P></BODY></HTML> Fri, 04 Jan 2008 16:57:31 GMT Rick Morris 2008-01-04T16:57:31Z https://community.cisco.com/t5/network-security/access-list/m-p/878948#M957691 <P>I would like to allow an inside IP that is not in the permit acl's to access the following website IP addresses</P><P>xxx.xxx.xx.170</P><P>xxx.xxx.xx.150</P><P></P><P>Another engineer added the two access list at the end but I don't think they are much help. If anyone can assist me with this I would deeply appreciate it.</P><P></P><P></P><P></P><P></P><P></P><P></P><P>access-list outgoing extended permit ip host 192.168.1.210 any</P><P>access-list outgoing extended permit ip host 192.168.1.211 any</P><P>access-list outgoing extended permit ip host 192.168.1.212 any</P><P>access-list outgoing extended permit ip host 192.168.1.213 any</P><P>access-list outgoing extended permit ip host 192.168.1.214 any</P><P>access-list outgoing extended permit ip host 192.168.1.215 any</P><P>access-list outgoing extended permit ip host 192.168.1.216 any</P><P>access-list outgoing extended permit ip host 192.168.1.217 any</P><P>access-list outgoing extended permit ip host 192.168.1.218 any</P><P>access-list outgoing extended permit ip host 192.168.1.219 any</P><P>access-list outgoing extended permit ip host 192.168.1.220 any</P><P>access-list outgoing extended permit ip host 192.168.1.12 any</P><P></P><P></P><P></P><P>access-list outgoing extended permit ip any host xxx.xxx.xx.170</P><P>access-list outgoing extended permit ip any host xxx.xxx.xxx.150</P> Wed, 13 Mar 2019 00:56:43 GMT https://community.cisco.com/t5/network-security/access-list/m-p/878948#M957691 rmwhite59 2019-03-13T00:56:43Z https://community.cisco.com/t5/network-security/access-list/m-p/878949#M957692 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Well it's a bit open if you only want http to be allowed out ie.</P><P></P><P>access-list outgoing extended permit tcp host "inside ip" host xxx.xxx.xx.170 eq www</P><P>access-list outgoing extended permit tcp host "inside ip" host xxx.xxx.xxx.150 eq www</P><P></P><P>However this is not your main problem. Are you Natting your internal IP addresses to a publically routable address ? </P><P></P><P>Jon</P></BODY></HTML> Thu, 03 Jan 2008 22:59:33 GMT https://community.cisco.com/t5/network-security/access-list/m-p/878949#M957692 Jon Marshall 2008-01-03T22:59:33Z https://community.cisco.com/t5/network-security/access-list/m-p/878950#M957694 <HTML><HEAD></HEAD><BODY><P>Yes</P><P></P><P>nat (inside) 1 192.168.1.0 255.255.255.0</P><P>nat (inside) 1 0.0.0.0 0.0.0.0</P></BODY></HTML> Thu, 03 Jan 2008 23:11:25 GMT https://community.cisco.com/t5/network-security/access-list/m-p/878950#M957694 rmwhite59 2008-01-03T23:11:25Z https://community.cisco.com/t5/network-security/access-list/m-p/878951#M957695 <HTML><HEAD></HEAD><BODY><P>Can you post the correspondin global statements. </P><P></P><P>In fact it would help if you could post the full config minus any sensitive information.</P><P></P><P>Jon</P></BODY></HTML> Thu, 03 Jan 2008 23:17:07 GMT https://community.cisco.com/t5/network-security/access-list/m-p/878951#M957695 Jon Marshall 2008-01-03T23:17:07Z https://community.cisco.com/t5/network-security/access-list/m-p/878952#M957697 <HTML><HEAD></HEAD><BODY><P>I have attached the config</P><P></P><P> </P><P></P></BODY></HTML> Thu, 03 Jan 2008 23:29:42 GMT https://community.cisco.com/t5/network-security/access-list/m-p/878952#M957697 rmwhite59 2008-01-03T23:29:42Z https://community.cisco.com/t5/network-security/access-list/m-p/878953#M957699 <HTML><HEAD></HEAD><BODY><P>Config looks okay, what is the source IP address you are trying to go from. </P><P></P><P>When you try to connect to that address what do you see in the xlate table - "sh xlate"</P><P></P><P>Jon</P></BODY></HTML> Thu, 03 Jan 2008 23:35:23 GMT https://community.cisco.com/t5/network-security/access-list/m-p/878953#M957699 Jon Marshall 2008-01-03T23:35:23Z https://community.cisco.com/t5/network-security/access-list/m-p/878954#M957701 <HTML><HEAD></HEAD><BODY><P>192.168.1.107</P></BODY></HTML> Fri, 04 Jan 2008 00:40:25 GMT https://community.cisco.com/t5/network-security/access-list/m-p/878954#M957701 rmwhite59 2008-01-04T00:40:25Z https://community.cisco.com/t5/network-security/access-list/m-p/878955#M957702 <HTML><HEAD></HEAD><BODY><P>to make sure I understand correctly, you want an inside host, 10.1.1.10 (example) to access the public IP address?</P><P>Is this correct?</P><P></P><P>What host to what address on what ports?</P><P>This is how the ACL will read.</P><P>As stated by jon you will see this in the xlate table and the traffic going outbound will use the global IP. If you have a static NAT set-up for the public IP and have an access list set-up for access to that private IP via the NAT, wow that sounded confusing, then you will need to make sure that it is not specific and allows any to access the site.</P><P></P><P>now clear as mud right?</P></BODY></HTML> Fri, 04 Jan 2008 16:57:31 GMT https://community.cisco.com/t5/network-security/access-list/m-p/878955#M957702 Rick Morris 2008-01-04T16:57:31Z