Cisco Catalyst 6500 Series Configuration Manual page 192

Access Control List Overview
Then, if you want to allow only certain hosts on the inside networks to access a web server on the outside
network, you can create a more restrictive ACL that allows only the specified hosts and apply it to the
outbound direction of the outside interface (see
Control Lists When You Use NAT" section on page 10-7
The outbound ACL prevents any other hosts from reaching the outside network.
Figure 10-5 Outbound ACL
10.1.1.14
See the following commands for this example:
FWSM/contexta(config)# access-list INSIDE extended permit ip any any
FWSM/contexta(config)# access-group INSIDE in interface inside
FWSM/contexta(config)# access-list HR extended permit ip any any
FWSM/contexta(config)# access-group HR in interface hr
FWSM/contexta(config)# access-list ENG extended permit ip any any
FWSM/contexta(config)# access-group ENG in interface eng
FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.4
host 209.165.200.225 eq www
FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6
host 209.165.200.225 eq www
FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8
host 209.165.200.225 eq www
FWSM/contexta(config)# access-group OUTSIDE out interface outside
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
10-12
FWSM
Permit HTTP from 209.165.201.4, 209.165.201.6,
and 209.165.201.8
Deny all others
Inside
ACL Inbound
Permit from any to any
209.165.201.4
Static NAT
Chapter 10 Controlling Network Access with Access Control Lists
Figure 10-4). See the
for information about NAT and IP addresses.
Web Server:
209.165.200.225
Outside
ACL Outbound
to 209.165.200.225
HR
ACL Inbound
Permit from any to any
10.1.2.67 209.165.201.6
Static NAT
"IP Addresses Used for Access
Eng
ACL Inbound
Permit from any to any
10.1.3.34 209.165.201.8
Static NAT
OL-6392-01