ACL question

Answered Question
Mar 29th, 2007
User Badges:

Hello.


I have below case:

interface FastEthernet0/0

description INTRANET

ip address 10.20.28.1 255.255.252.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0.3 point-to-point

dexcription INTERNET

ip address <real_ip> 255.255.255.192

ip nat outside

frame-relay interface-dlci 404

!

interface FastEthernet0/1

description DMZ

ip address real 255.255.255.192

duplex auto

speed auto

!


I want:

to allow only telnet from INTERNET to DMZ.

to allow ALL traffic from DMZ and INTRANET to INTERNET.


Pleas, help me with ACL rules...

Correct Answer by jitesh1982 about 10 years 4 months ago

Hello Max,


After such a long work I would like to know have your problem resolved, or uptill were you r to mark, so that I can try to help it out.


Rgds,

Jitesh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (5 ratings)
Loading.
flashsplash Thu, 03/29/2007 - 05:31
User Badges:

i think (i just a started with my ccna)


access-list 101 permit tcp 0.0.0.0 255.255.255.255 your.?.ser.ver 0.0.0.0 eq 23


RouterA(config)#ip nat inside source list 1 interface [interface to the internet] overload

RouterA(config)#access-list 1 permit any

NetMaxKar Thu, 03/29/2007 - 05:36
User Badges:

but on which interface inbound or outbound should i need to apply this...

Amit Singh Thu, 03/29/2007 - 05:43
User Badges:
  • Cisco Employee,

You can use an EXTENDED ACL to permit only the telnet traffic and attach it to the outbound direction on the serial interface.


config t


access-list 101 permit tcp eq 23


inet s 0/0.3

ip access-group 101 in


This should help you.


-amit singh



Jon Marshall Thu, 03/29/2007 - 05:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Amit


This might create some problems. If you apply this inbound on the serial interface you have in fact denied all other traffic other than telnet to the DMZ. This is probably not what is intended.


What might be a better solution is to apply your access-list on the DMZ interface in an outbound direction which would not interfere with the main traffic flow.


That is why i asked whether the poster wanted the intranet clients to be able to talk to the DMZ servers.


HTH


Jon

Jon Marshall Thu, 03/29/2007 - 06:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


I wasn't speculating on what he wanted and the answer given was not a solution to his problem.


The second part of the problem states that he wants to allow all traffic from the DMZ and the intranet out to the internet.


Now if you apply the access-list given on the serial interface in an inbound direction that would block ANY return traffic from the internet. The access-list is not stateful.


HTH


Jon

Jon Marshall Thu, 03/29/2007 - 06:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


The post is not about Amit's requirements. Amit and yourself supplied an answer that did not meet the requirements of the original poster. There is some confusion over Amit's answer in that he talks about applying the acl outbound but the config shows it being applied inbound.


I have posted incorrect or misleading posts before and am the first to accept if i have made a mistake. The issue is really to make sure the user doesn't do something that breaks his network.


So i still can't see how it is speculation. The requirements are quite plain.


Jon

Jon Marshall Thu, 03/29/2007 - 06:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

And i just got out of a very long boring and most importantly non-technical meeting so i wasn't in the best frame of mind.


Apologies if i came on a bit strong. No offense intended.


Jon

Jon Marshall Thu, 03/29/2007 - 05:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Do you want to allow anybody from your intranet to access the DMZ servers or do you just want people on the internet to have access to DMZ with telnet ?


This makes a difference in the access-list


Jon

NetMaxKar Thu, 03/29/2007 - 06:23
User Badges:

Thanks everyone. Let me clarify.

Telnet was just example. In fact I need that:


1) ALL traffic from INTRANET to DMZ and INTERNET

2) ALL traffic from DMZ to INTERNET

3) SNMP and SNMPTRAPS from DMZ to INTRANET

4) ECHO, FTP, SSH, SMTP, DNS, TFTP, HTTP, POP3, NNTP, NTP, SNMP, SNMPTRAPS, HTTPS, SECURE POP3 from INTERNET to DMZ


and i want to use the next ACL (correct me if I wrong):

!

interface serial 0/0.3

ip access-group 120 in

!

access-list 120 permit tcp any any eq echo

access-list 120 permit udp any any eq echo

access-list 120 permit tcp any any eq ftp

access-list 120 permit tcp any any eq ftp-data established

access-list 120 permit tcp any any eq 22

access-list 120 permit tcp any any eq smtp

access-list 120 permit tcp any any eq domain

access-list 120 permit udp any any eq domain

access-list 120 permit udp any any eq tftp

access-list 120 permit tcp any any eq www

access-list 120 permit tcp any any eq pop3

access-list 120 permit tcp any any eq nntp

access-list 120 permit tcp any any eq 123

access-list 120 permit udp any any eq snmp

access-list 120 permit udp any any eq snmptrap

access-list 120 permit udp any any eq ntp

access-list 120 permit tcp any any eq 443

access-list 120 permit tcp any any eq 995

access-list 120 permit tcp any any eq telnet

Jon Marshall Thu, 03/29/2007 - 07:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


To control DMZ to intranet traffic use this access-list



access-list 101 permit udp "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255 eq snmp

access-list 101 permit udp "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255 eq snmptrap

access-list 101 permit deny ip "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255

access-list 101 permit ip "DMZ Subnet" 0.0.0.63 any


apply it on the DMZ interface in an inbound direction.


interface fa0/1

ip access-group 101 in



To allow the other traffic use an acl for the serial interface and apply it in an inbound direction.


What you need to do is this


access-list 102 permit tcp any "DMZ Subnet" 0.0.0.63 eq ssh

access-list 102 permit tcp any "DMZ Subnet" 0.0.0.63 eq smtp


etc... add lines for all the traffic from the Internet to your DMZ servers.


access-list 102 deny ip any "DMZ Subnet" 0.0.0.63 # deny any other traffic to the DMZ servers

access-list 102 permit ip any any # allow all other return traffic


interface s0/0.3

ip access-group 102 in



the only other issue is echo. if you really want to allow ping from any internet machine to your DMZ servers

it is not


access-list 120 permit tcp any any eq echo

access-list 120 permit udp any any eq echo


it is


access-list 102 permit icmp any "DMZ Subnet" 0.0.0.63 echo


This is not a particularly good thing to do. It allows people on the Internet to work out which machines you

have on public addressing.


Last point. The access-list 102 allows ftp, ssh etc. to all the servers in the DMZ. Presumably you don't have all

services running on all servers ie. say smtp was running on only one server. instead of


access-list 102 permit tcp any "DMZ Subnet" 0.0.0.63 eq smtp


a more secure access-list would be


access-list 102 permit tcp any host "SMTP Server ip address" eq smtp



HTH


Jon




Jon Marshall Thu, 03/29/2007 - 07:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


One slight change to the above. if you want any traffic to be allowed from the DMZ to the Internet but only the specified ports from the internet to the DMZ


In our access-list 102 BEFORE the line


access-list 102 deny ip any DMZ Subnet" 0.0.0.63


you need the line


access-list 102 permit tcp any "DMZ Subnet" 0.0.0.63 established


This will allow the DMZ to initiate tcp connections to the Internet.


There is still a problem with non-tcp traffic initiated from the DMZ to the internet.


If there are any other connections that are initiated from the DMZ to the Internet you will need to account for the return traffic in your acl on the outside interface before you deny ip to the DMZ subnet.


The same applies to the intranet to the DMZ traffic.


You need to add to access-list 101 before the line


access-list 101 permit deny ip "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255


access-list 101 permit tcp "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255 established.


This is why firewalls are quite useful - they are stateful so you don't need to account for return traffic in the same way !.



HTH


Jon





NetMaxKar Thu, 03/29/2007 - 11:33
User Badges:

access-list 101 permit deny ip ...

What does it mean permit deny?

Jon Marshall Thu, 03/29/2007 - 12:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sorry, that would be a typo.


It's meant to be "access-list deny ip...."


Jon

Correct Answer
jitesh1982 Fri, 03/30/2007 - 02:59
User Badges:

Hello Max,


After such a long work I would like to know have your problem resolved, or uptill were you r to mark, so that I can try to help it out.


Rgds,

Jitesh

Actions

This Discussion