Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
1
Replies

PIX statics & ACLs

Go to solution
brymiller
Level 1
Level 1

‎08-12-2005 08:08 AM - edited ‎02-21-2020 12:19 AM

Which comes first on an inbound access filter (access-group IN in interface outside): static or ACL?

For example...

Let's say I want to redirect any outside hosts trying to reach 10.7.7.21 in DMZ7 to use 192.1.24.21...

static(DMZ7,outside) 192.1.24.21 10.7.7.21 netmask 255.255.255.255

Now I want to only allow outside users on 205.15.25.0/24 to use HTTP on the redirected host DMZ7's 10.7.7.21.

Since 10.7.7.21 has been translated to 192.1.24.21 do I use...

access-list IN permit tcp 205.15.25.0 0.0.0.255 host 10.7.7.21 eq www

OR

access-list IN permit tcp 205.15.25.0 0.0.0.255 host 192.1.24.21 eq www

TIA

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rsmith
Level 3
Level 3

‎08-12-2005 08:12 AM

Since this access-list is bound to the outside interface, you need the IP address that will correspond to the outside interface. Therefore, your second access-list line should be correct.

access-list IN permit tcp 205.15.25.0 0.0.0.255 host 192.1.24.21 eq www

View solution in original post

0 Helpful
1 Reply 1

Go to solution
rsmith
Level 3
Level 3

‎08-12-2005 08:12 AM

Since this access-list is bound to the outside interface, you need the IP address that will correspond to the outside interface. Therefore, your second access-list line should be correct.

access-list IN permit tcp 205.15.25.0 0.0.0.255 host 192.1.24.21 eq www

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card