Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
4
Replies

outside host to DMZ

Gerard Gacusan
Level 1
Level 1

‎09-17-2008 10:29 AM

Block internet host to DMZ, is this correct?

access-list dmz_acl extended deny ip host x.x.x.x any

access-list dmz_acl permit ip any any

access-group dmz_acl in interface dmz

If i will block host x.x.x.x on ftp traffic to DMZ:

access-list dmz_acl deny host x.x.x.x any eq 21

access-list dmz_acl permit ip any any

access-group dmz_acl in interface dmz

pls correct me if wrong ..

Labels:
0 Helpful
4 Replies 4

felixjai
Level 1
Level 1

‎09-17-2008 11:01 AM

Not sure if I understand your question correctly. Are you trying to block a host in DMZ to go to the Internet? If so, your commands are ok.

But for FTP, your commands didn't specify the protocol type, in this case, it is TCP. It should go like this- (The commands below only block FTP traffic from host x.x.x.x, but allowing any other)

access-list dmz_acl deny tcp host x.x.x.x any eq 21

access-list dmz_acl deny tcp host x.x.x.x any eq 20

access-list dmz_acl permit ip any any

access-group dmz_acl in interface dmz

0 Helpful

Gerard Gacusan
Level 1
Level 1
In response to felixjai

‎09-17-2008 11:03 AM

block outside host to access into the DMZ network.

Outside host - means from an internet host

0 Helpful

felixjai
Level 1
Level 1

‎09-17-2008 11:13 AM

Oh. Then this is wrong. Let's assume some IP addresses here first. If your DMZ server real IP address is 192.168.10.10, and it's NAT'ted public IP is 12.12.12.12. And the host from Internet you want to block has the IP of 33.33.33.33. The following will block all access from the internet host 33.33.33.33 to your DMZ server 12.12.12.12 (192.168.10.10). (Only necessary commands are shown)

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.12.12.2 255.255.255.0

!

interface Ethernet0/1

nameif dmz

security-level 50

ip address 192.168.10.1 255.255.255.0

!

static (dmz,outside) 12.12.12.12 192.168.10.10 netmask 255.255.255.255

!

access-list outside_acl_in extended deny ip host 33.33.33.33 host 12.12.12.12

!

access-group outside_acl_in in interface outside

!

For FTP, use this ACL-

access-list outside_acl_in extended deny tcp host 33.33.33.33 host 12.12.12.12 eq ftp

0 Helpful

Gerard Gacusan
Level 1
Level 1
In response to felixjai

‎09-17-2008 01:08 PM

if i do this, host 33.33.33.33 is completely block to any kind of traffic destined to the inside or dmz. Is that right?

access-list outside_acl deny ip host 33.33.33.33 any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents