cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1352
Views
11
Helpful
19
Replies

ACL question

NetMaxKar
Level 1
Level 1

Hello.

I have below case:

interface FastEthernet0/0

description INTRANET

ip address 10.20.28.1 255.255.252.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0.3 point-to-point

dexcription INTERNET

ip address <real_ip> 255.255.255.192

ip nat outside

frame-relay interface-dlci 404

!

interface FastEthernet0/1

description DMZ

ip address real 255.255.255.192

duplex auto

speed auto

!

I want:

to allow only telnet from INTERNET to DMZ.

to allow ALL traffic from DMZ and INTRANET to INTERNET.

Pleas, help me with ACL rules...

1 Accepted Solution

Accepted Solutions

jitesh1982
Level 1
Level 1

Hello Max,

After such a long work I would like to know have your problem resolved, or uptill were you r to mark, so that I can try to help it out.

Rgds,

Jitesh

View solution in original post

19 Replies 19

flashsplash
Level 1
Level 1

i think (i just a started with my ccna)

access-list 101 permit tcp 0.0.0.0 255.255.255.255 your.?.ser.ver 0.0.0.0 eq 23

RouterA(config)#ip nat inside source list 1 interface [interface to the internet] overload

RouterA(config)#access-list 1 permit any

but on which interface inbound or outbound should i need to apply this...

You should put the access-list on the serial interface to allow only the telnet traffic coming inbound to the DMZ from the outside.

and the ACL should look something like this:

access-list 101 permit tcp any (DMZ subnet) eq 23

Amit Singh
Cisco Employee
Cisco Employee

You can use an EXTENDED ACL to permit only the telnet traffic and attach it to the outbound direction on the serial interface.

config t

access-list 101 permit tcp eq 23

inet s 0/0.3

ip access-group 101 in

This should help you.

-amit singh

Hi Amit

This might create some problems. If you apply this inbound on the serial interface you have in fact denied all other traffic other than telnet to the DMZ. This is probably not what is intended.

What might be a better solution is to apply your access-list on the DMZ interface in an outbound direction which would not interfere with the main traffic flow.

That is why i asked whether the poster wanted the intranet clients to be able to talk to the DMZ servers.

HTH

Jon

We can speculate on what he wanted , but the solution was given to the question that he asked. If anyone is asking a question that might have production impact, I would hope they would state that in the question.

Hi

I wasn't speculating on what he wanted and the answer given was not a solution to his problem.

The second part of the problem states that he wants to allow all traffic from the DMZ and the intranet out to the internet.

Now if you apply the access-list given on the serial interface in an inbound direction that would block ANY return traffic from the internet. The access-list is not stateful.

HTH

Jon

It is speculation until Amit can reply with his exact requirements.

Hi

The post is not about Amit's requirements. Amit and yourself supplied an answer that did not meet the requirements of the original poster. There is some confusion over Amit's answer in that he talks about applying the acl outbound but the config shows it being applied inbound.

I have posted incorrect or misleading posts before and am the first to accept if i have made a mistake. The issue is really to make sure the user doesn't do something that breaks his network.

So i still can't see how it is speculation. The requirements are quite plain.

Jon

My bad, I meant the requirements of the original poster, not Amit. I admit that the answer given won't solve his entire requirement but I think more info is needed. I only read part of the message before I replied. I guess I've been away from the lab too long.

And i just got out of a very long boring and most importantly non-technical meeting so i wasn't in the best frame of mind.

Apologies if i came on a bit strong. No offense intended.

Jon

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Do you want to allow anybody from your intranet to access the DMZ servers or do you just want people on the internet to have access to DMZ with telnet ?

This makes a difference in the access-list

Jon

Thanks everyone. Let me clarify.

Telnet was just example. In fact I need that:

1) ALL traffic from INTRANET to DMZ and INTERNET

2) ALL traffic from DMZ to INTERNET

3) SNMP and SNMPTRAPS from DMZ to INTRANET

4) ECHO, FTP, SSH, SMTP, DNS, TFTP, HTTP, POP3, NNTP, NTP, SNMP, SNMPTRAPS, HTTPS, SECURE POP3 from INTERNET to DMZ

and i want to use the next ACL (correct me if I wrong):

!

interface serial 0/0.3

ip access-group 120 in

!

access-list 120 permit tcp any any eq echo

access-list 120 permit udp any any eq echo

access-list 120 permit tcp any any eq ftp

access-list 120 permit tcp any any eq ftp-data established

access-list 120 permit tcp any any eq 22

access-list 120 permit tcp any any eq smtp

access-list 120 permit tcp any any eq domain

access-list 120 permit udp any any eq domain

access-list 120 permit udp any any eq tftp

access-list 120 permit tcp any any eq www

access-list 120 permit tcp any any eq pop3

access-list 120 permit tcp any any eq nntp

access-list 120 permit tcp any any eq 123

access-list 120 permit udp any any eq snmp

access-list 120 permit udp any any eq snmptrap

access-list 120 permit udp any any eq ntp

access-list 120 permit tcp any any eq 443

access-list 120 permit tcp any any eq 995

access-list 120 permit tcp any any eq telnet

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: