08-23-2008 08:31 AM - edited 03-11-2019 06:35 AM
I'm fairly new to Cisco, and was thrown in the fire to take care of the network, including all of our Cisco equipment.
I want to use an ACL to block all outgoing traffic from a cluster except for certain IPs out on the net.
After looking around, this is what I've come up with. Please help me out and correct my mistakes. I have an ASA 5520.
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-list Restrict_SQL extended deny tcp host 10.0.40.153 0.0.0.0 255.255.255.255 any
access-group Restrict_SQL out interface inside
08-23-2008 08:56 AM
You need only 2 ACL statements :
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
Rest traffic will be denied implicitly.
And put the ACL either on Inbound Inside or Outbound Outside
access-group Restrict_SQL out interface Outside
or
access-group Restrict_SQL in interface Inside
08-23-2008 09:10 AM
Since its a cluster, I need to restrict it from 10.0.40.153 and 10.0.40.152, so the total statement would look like this:
access-list Restrict_SQL extended permit tcp host 10.0.40.152 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.152 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-group Restrict_SQL out interface Outside
I'll use the outbound Outside since I still want the server to be able to talk to the DMZ servers.
Thanks for the quick reply.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: