https://community.cisco.com/t5/network-security/need-acl-help/m-p/898405#M973162 <HTML><HEAD></HEAD><BODY><P>So what you are saying is you can access P.P.P.P/http from ip addresses other than those defined in object-group Tac?</P><P></P><P>Also, how are you testing this? Are you coming from outside the pix or from the inside?</P></BODY></HTML> Wed, 24 Oct 2007 17:00:28 GMT acomiskey 2007-10-24T17:00:28Z https://community.cisco.com/t5/network-security/need-acl-help/m-p/898404#M973161 <P>I posted this on the 501 help but I am not 15 posts in and still no help so I am re-posting.</P><P></P><P>I have a several devices that I am using from my pix. However I can't seem to prevent HTTP access to a Spcific Public IP Address. This is what I have.</P><P></P><P></P><P>name P.P.P.P Outside ** Public IP Address </P><P></P><P>object-group network Tac </P><P>network-object host X.X.X.X </P><P>network-object host X.X.X.X </P><P>network-object host X.X.X.X </P><P></P><P>access-list outside_in permit tcp object-group Tac host Outside eq www </P><P></P><P>access-list outside_in permit tcp object-group Tac host Outside eq htt </P><P>ps </P><P>access-list outside_in permit tcp object-group Tac host Outside eq tel </P><P>net </P><P>access-list outside_in permit tcp object-group Tac host Outside eq ssh </P><P></P><P>static (inside,outside) Outside Inside netmask 255.255.255.255 0 0 </P><P></P><P>** I do not want HTTP Access to this Public Device.</P><P></P><P>Thanks</P><P>Gabrielle</P><P></P> Mon, 11 Mar 2019 11:30:02 GMT https://community.cisco.com/t5/network-security/need-acl-help/m-p/898404#M973161 cozyk1515 2019-03-11T11:30:02Z https://community.cisco.com/t5/network-security/need-acl-help/m-p/898405#M973162 <HTML><HEAD></HEAD><BODY><P>So what you are saying is you can access P.P.P.P/http from ip addresses other than those defined in object-group Tac?</P><P></P><P>Also, how are you testing this? Are you coming from outside the pix or from the inside?</P></BODY></HTML> Wed, 24 Oct 2007 17:00:28 GMT https://community.cisco.com/t5/network-security/need-acl-help/m-p/898405#M973162 acomiskey 2007-10-24T17:00:28Z https://community.cisco.com/t5/network-security/need-acl-help/m-p/898406#M973163 <HTML><HEAD></HEAD><BODY><P>From the outside of the pix. </P></BODY></HTML> Wed, 24 Oct 2007 19:03:05 GMT https://community.cisco.com/t5/network-security/need-acl-help/m-p/898406#M973163 cozyk1515 2007-10-24T19:03:05Z https://community.cisco.com/t5/network-security/need-acl-help/m-p/898407#M973164 <HTML><HEAD></HEAD><BODY><P>i assume the access-list outside_in is applied on the outside interface on inwards direction. And you have a server which is reachable from internet on port 80.</P><P></P><P>If you do not want to permit port 80 access apart from Tac add a deny entry towards this public IP from any source.</P><P></P><P>access-list outside_in extended deny tcp any host Outside eq 80</P><P></P><P>Hope this helps.</P></BODY></HTML> Fri, 26 Oct 2007 09:17:02 GMT https://community.cisco.com/t5/network-security/need-acl-help/m-p/898407#M973164 jaravinthan 2007-10-26T09:17:02Z