10-12
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 10 Controlling Network Access with Access Control Lists
Access Control List Overview
Then, if you want to allow only certain hosts on the inside networks to access a web server on the outside
network, you can create a more restrictive ACL that allows only the specified hosts and apply it to the
outbound direction of the outside interface (see Figure 10-4). See the “IP Addresses Used for Access
Control Lists When You Use NAT” section on page 10-7 for information about NAT and IP addresses.
The outbound ACL prevents any other hosts from reaching the outside network.
Figure 10-5 Outbound ACL
See the following commands for this example:
FWSM/contexta(config)# access-list INSIDE extended permit ip any any
FWSM/contexta(config)# access-group INSIDE in interface inside
FWSM/contexta(config)# access-list HR extended permit ip any any
FWSM/contexta(config)# access-group HR in interface hr
FWSM/contexta(config)# access-list ENG extended permit ip any any
FWSM/contexta(config)# access-group ENG in interface eng
FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4
host 209.165.200.225 eq www
FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6
host 209.165.200.225 eq www
FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8
host 209.165.200.225 eq www
FWSM/contexta(config)# access-group OUTSIDE out interface outside
Web Server:
209.165.200.225
Inside
HR
Eng
Outside
FWSM
Static NAT
209.165.201.410.1.1.14
Static NAT
209.165.201.610.1.2.67
Static NAT
209.165.201.810.1.3.34
ACL Outbound
Permit HTTP from 209.165.201.4, 209.165.201.6,
and 209.165.201.8 to 209.165.200.225
Deny all others
104638
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
ACL Inbound
Permit from any to any
To Next Page
Loading...
Need help?
General