Re: Need ACL Help

cozyk1515 · ‎10-24-2007

I posted this on the 501 help but I am not 15 posts in and still no help so I am re-posting.

I have a several devices that I am using from my pix. However I can't seem to prevent HTTP access to a Spcific Public IP Address. This is what I have.

name P.P.P.P Outside ** Public IP Address

object-group network Tac

network-object host X.X.X.X

access-list outside_in permit tcp object-group Tac host Outside eq www

access-list outside_in permit tcp object-group Tac host Outside eq htt

ps

access-list outside_in permit tcp object-group Tac host Outside eq tel

net

access-list outside_in permit tcp object-group Tac host Outside eq ssh

static (inside,outside) Outside Inside netmask 255.255.255.255 0 0

** I do not want HTTP Access to this Public Device.

Thanks

Gabrielle

acomiskey · ‎10-24-2007

So what you are saying is you can access P.P.P.P/http from ip addresses other than those defined in object-group Tac?

Also, how are you testing this? Are you coming from outside the pix or from the inside?

cozyk1515 · ‎10-24-2007

From the outside of the pix.

jaravinthan · ‎10-26-2007

i assume the access-list outside_in is applied on the outside interface on inwards direction. And you have a server which is reachable from internet on port 80.

If you do not want to permit port 80 access apart from Tac add a deny entry towards this public IP from any source.

access-list outside_in extended deny tcp any host Outside eq 80

Hope this helps.