ACLs to block traffic from cluster

bryankrausen · ‎08-23-2008

I'm fairly new to Cisco, and was thrown in the fire to take care of the network, including all of our Cisco equipment.

I want to use an ACL to block all outgoing traffic from a cluster except for certain IPs out on the net.

After looking around, this is what I've come up with. Please help me out and correct my mistakes. I have an ASA 5520.

access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any

access-list Restrict_SQL extended deny tcp host 10.0.40.153 0.0.0.0 255.255.255.255 any

access-group Restrict_SQL out interface inside

dhananjoy chowdhury · ‎08-23-2008

You need only 2 ACL statements :

access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any

Rest traffic will be denied implicitly.

And put the ACL either on Inbound Inside or Outbound Outside

access-group Restrict_SQL out interface Outside

or

access-group Restrict_SQL in interface Inside

bryankrausen · ‎08-23-2008

Since its a cluster, I need to restrict it from 10.0.40.153 and 10.0.40.152, so the total statement would look like this:

access-list Restrict_SQL extended permit tcp host 10.0.40.152 host "client_IP" any

access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any

access-group Restrict_SQL out interface Outside

I'll use the outbound Outside since I still want the server to be able to talk to the DMZ servers.

Thanks for the quick reply.