Cisco FirePOWER ASA 5500 series Configuration Manual page 329

Chapter 18 Permitting or Denying Network Access
Then, if you want to allow only certain hosts on the inside networks to access a web server on the outside
network, you can create a more restrictive access list that allows only the specified hosts and apply it to
the outbound direction of the outside interface (see
Lists When You Use NAT" section on page 16-3
outbound access list prevents any other hosts from reaching the outside network.
Figure 18-2
10.1.1.14
See the following commands for this example:
hostname(config)# access-list INSIDE extended permit ip any any
hostname(config)# access-group INSIDE in interface inside
hostname(config)# access-list HR extended permit ip any any
hostname(config)# access-group HR in interface hr
hostname(config)# access-list ENG extended permit ip any any
hostname(config)# access-group ENG in interface eng
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8
host 209.165.200.225 eq www
hostname(config)# access-group OUTSIDE out interface outside
OL-10088-01
Outbound Access List
Security
appliance
Permit HTTP from 209.165.201.4, 209.165.201.6,
and 209.165.201.8
Deny all others
Inside
ACL Inbound
Permit from any to any
209.165.201.4
Static NAT
Inbound and Outbound Access List Overview
Figure 18-1). See the
for information about NAT and IP addresses. The
Web Server:
209.165.200.225
Outside
ACL Outbound
to 209.165.200.225
HR
ACL Inbound
Permit from any to any
10.1.2.67 209.165.201.6
Static NAT
Cisco Security Appliance Command Line Configuration Guide
"IP Addresses Used for Access
Eng
ACL Inbound
Permit from any to any
10.1.3.34 209.165.201.8
Static NAT
18-3