10-08-2008 01:07 PM - edited 03-11-2019 06:55 AM
Hello all. I have the following requirements:
Internal network includes
10.1.1.x/24
10.1.2.x/24
10.1.3.x/24
10.1.4.x/24
I want to allow only the 10.1.1.x network to do ICMP ping and traceroute to the outside networks such as yahoo etc..
Here is part of my config
object-group icmp-type icmp-outside-in
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended deny ip 0.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny ip 10.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny ip 127.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny ip 172.16.0.0 255.240.0.0 any
access-list outside_access_in extended deny ip 192.168.0.0 255.255.0.0 any
access-list outside_access_in extended deny ip 224.0.0.0 224.0.0.0 any
access-list outside_access_in extended deny ip host FTP_Block any
access-list outside_access_in extended permit tcp any host xx.xx.157.198 object-group Notes
access-list outside_access_in extended permit tcp any host xx.xx.157.199 eq smtp
access-list outside_access_in extended permit tcp any host xx.xx.157.200 object-group FTP
access-list outside_access_in extended permit icmp any host xx.xx.157.200
access-list outside_access_in extended permit tcp any object-group Production_Websites_ref object-group Web
access-list outside_access_in extended permit tcp any host xx.xx.157.217 eq ssh
access-list outside_access_in extended permit tcp any host xx.xx.157.216 object-group Notes
access-list outside_access_in extended permit icmp any xx.xx.157.192 255.255.255.224 object-group icmp-outside-in
access-list outside_access_in extended deny icmp any xx.xx.157.192 255.255.255.224
access-list outside_access_in extended deny ip any any
access-list dmz_access_in extended permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.21
access-list dmz_access_in extended permit udp 10.1.4.0 255.255.255.0 host 10.1.4.21 eq domain
access-list dmz_access_in extended permit tcp 10.1.4.0 255.255.255.0 host 10.1.4.25
access-list dmz_access_in extended permit udp 10.1.4.0 255.255.255.0 host 10.1.4.25 eq domain
access-list dmz_access_in extended permit ip 10.1.4.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp any host 10.1.4.24
access-list dmz_access_in extended permit udp any host 10.1.4.24
access-list dmz_access_in extended permit icmp any host 10.1.4.24
access-list dmz_access_in extended permit ip 10.1.4.0 255.255.255.0 host 10.1.4.32
access-list dmz_access_in extended permit tcp any host 10.1.4.26 object-group Notes
access-list dmz_access_in extended permit icmp 10.1.4.0 255.255.255.0 host 10.1.4.31
access-list dmz_access_in extended permit tcp any host 10.1.4.25 eq ldap
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any
Solved! Go to Solution.
10-08-2008 03:58 PM
what i suggest u is to have a look at the following link which will be helpful for ur case:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
good luck
if helpful Rate
10-08-2008 03:58 PM
what i suggest u is to have a look at the following link which will be helpful for ur case:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
good luck
if helpful Rate
10-09-2008 04:58 AM
Thank you. I added this ACE and i can ping out from all internal networks.
access-list outside_access_in extended permit icmp any xx.xx.157.192 255.255.255.224 object-group icmp-outside-in
So I think if I want to block other networks accept 10.1.1.0/24 I need another ACE on the inside.
Right now I have this on the inside.
access-list inside_access_in extended permit icmp any any
think it needs to change to
access-list inside_access_in extended permit icmp 10.1.1.0 255.255.255.0 any
10-09-2008 05:48 AM
the last one will allow icmp as stated in the ACL and deny anythig else !!!
please, rate the helpful post
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: