Applying An Access List To An Interface - Cisco PIX 500 Series Configuration Manual

Applying an Access List to an Interface

(see
page 16-3
from reaching the outside network.
Figure 18-1
10.1.1.14
See the following commands for this example:
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8
host 209.165.200.225 eq www
hostname(config)# access-group OUTSIDE out interface outside
Applying an Access List to an Interface
To apply an extended access list to the inbound or outbound direction of an interface, enter the following
command:
hostname(config)# access-group access_list_name {in | out} interface interface_name
[per-user-override]
You can apply one access list of each type (extended and EtherType) to both directions of the interface.
See the
access list directions.
Cisco Security Appliance Command Line Configuration Guide
18-2
Figure 18-1). See the "IP Addresses Used for Access Lists When You Use NAT" section on
for information about NAT and IP addresses. The outbound access list prevents any other hosts
Outbound Access List
Security
appliance
Permit HTTP from 209.165.201.4, 209.165.201.6,
and
Deny all others
Inside
Implicit Permit
from any to any
209.165.201.4
Static NAT
"Inbound and Outbound Access List Overview" section on page 18-1
Web Server:
209.165.200.225
Outside
Access List Outbound
209.165.201.8 to 209.165.200.225
HR
Implicit Permit
from any to any
10.1.2.67 209.165.201.6
Static NAT
Chapter 18 Permitting or Denying Network Access
Eng
Implicit Permit
from any to any
10.1.3.34
Static NAT
for more information about
209.165.201.8
OL-12172-03