outside host to DMZ

Unanswered Question
Sep 17th, 2008

Block internet host to DMZ, is this correct?

access-list dmz_acl extended deny ip host x.x.x.x any

access-list dmz_acl permit ip any any

access-group dmz_acl in interface dmz

If i will block host x.x.x.x on ftp traffic to DMZ:

access-list dmz_acl deny host x.x.x.x any eq 21

access-list dmz_acl permit ip any any

access-group dmz_acl in interface dmz

pls correct me if wrong ..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
felixjai Wed, 09/17/2008 - 11:01

Not sure if I understand your question correctly. Are you trying to block a host in DMZ to go to the Internet? If so, your commands are ok.

But for FTP, your commands didn't specify the protocol type, in this case, it is TCP. It should go like this- (The commands below only block FTP traffic from host x.x.x.x, but allowing any other)

access-list dmz_acl deny tcp host x.x.x.x any eq 21

access-list dmz_acl deny tcp host x.x.x.x any eq 20

access-list dmz_acl permit ip any any

access-group dmz_acl in interface dmz

Gerard Gacusan Wed, 09/17/2008 - 11:03

block outside host to access into the DMZ network.

Outside host - means from an internet host

felixjai Wed, 09/17/2008 - 11:13

Oh. Then this is wrong. Let's assume some IP addresses here first. If your DMZ server real IP address is 192.168.10.10, and it's NAT'ted public IP is 12.12.12.12. And the host from Internet you want to block has the IP of 33.33.33.33. The following will block all access from the internet host 33.33.33.33 to your DMZ server 12.12.12.12 (192.168.10.10). (Only necessary commands are shown)

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.12.12.2 255.255.255.0

!

interface Ethernet0/1

nameif dmz

security-level 50

ip address 192.168.10.1 255.255.255.0

!

static (dmz,outside) 12.12.12.12 192.168.10.10 netmask 255.255.255.255

!

access-list outside_acl_in extended deny ip host 33.33.33.33 host 12.12.12.12

!

access-group outside_acl_in in interface outside

!

For FTP, use this ACL-

access-list outside_acl_in extended deny tcp host 33.33.33.33 host 12.12.12.12 eq ftp

Gerard Gacusan Wed, 09/17/2008 - 13:08

if i do this, host 33.33.33.33 is completely block to any kind of traffic destined to the inside or dmz. Is that right?

access-list outside_acl deny ip host 33.33.33.33 any

Actions

This Discussion