Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1216
Views
0
Helpful
7
Replies

ACL config guidance

Go to solution
tcrane8080
Level 1
Level 1

‎09-28-2011 10:30 AM - edited ‎03-11-2019 02:31 PM

we are looking at having a 172.168.40.0 network on our LAN. BUT i want to tie it down to JUST accessing the internet!

So i'm looking for some ideas on how that ACL would look like.

i have an ASA 5510 as our firewall and i've attached a simple network diagram for reference.

Thanks

Labels:
Preview file
89 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10
In response to tcrane8080

‎09-28-2011 12:01 PM

Yes you can add these services anytime on the ACL.

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
7 Replies 7

Go to solution
varrao
Level 10
Level 10

‎09-28-2011 10:45 AM

Hi,

What you can do is restrict the access to port 80 and port 443 for this particualr subnet on the inside interface, something like this:

access-list inside_access_out extended permit tcp 172.168.40.0 255.255.255.0 any eq 443

access-list inside_access_out extended permit tcp 172.168.40.0 255.255.255.0 any eq 80

access-list inside_access_out extended permit ip any any

access-group inside_access_out in interface inside

The last access-list is important to give all the others ubnets complete access to the outsidfe world.

Hope this helps you.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
tcrane8080
Level 1
Level 1
In response to varrao

‎09-28-2011 11:42 AM

thanks for the reply...

Am i correct in thinking that once the ACLis applied, the 172 network would only be able to see WWW and not the rest of the network?

Gary

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to tcrane8080

‎09-28-2011 11:47 AM

Yes, once you apply the access-list, they woudl only be able to access the internet for port 80 only and nothing else.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
tcrane8080
Level 1
Level 1
In response to varrao

‎09-28-2011 11:59 AM

one more caveat,

my boss reminded me that the 172.168. clients will need to have DHCP services.

so i SHOULD be able to add ports 67 and 68 to the ACL list?

right?

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to tcrane8080

‎09-28-2011 12:01 PM

Yes you can add these services anytime on the ACL.

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
tcrane8080
Level 1
Level 1
In response to varrao

‎09-28-2011 12:02 PM

groovy!  thanks.

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to tcrane8080

‎09-28-2011 12:44 PM

access-list inside_access_out extended permit tcp 172.168.40.0 255.255.255.0 any eq 443

access-list inside_access_out extended permit tcp 172.168.40.0 255.255.255.0 any eq 80

access-list inside_access_out extended permit ip any any

It would still allow access for anyone on 172.168.40.0 to the internet on any port. Anything hitting

the inside interface inbound making TCP ports 443 and 80 will be allowed as well as anything else

hitting that interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card