Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
356
Views
0
Helpful
1
Replies

DMZ ACL

jcw009
Level 1
Level 1

‎09-08-2009 12:14 PM - edited ‎03-11-2019 09:13 AM

Setting up a new DMZ on my ASA 5520 running 7.2(3). I want to allow by exception into the internal network, but allow everything out to the external network. I'm only using private addresses on the internal network. If I simply have a few permit statements in the acl, followed by deny to 10./8, 172.16/12, 192.168./16, that should cover all of the internal networks that I'm using (subnetted 172.16. & 10. networks), right?

At first I was trying to do a deny statement for each internal network, but that's going to be a pain to implement and maintain.

Thanks!

Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎09-08-2009 12:48 PM

Yes you can use the masks. You can also group the networks together using an object group to make it even cleaner.

object-group network BLOCK_RFC_1918

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

access-list DMZ extended deny ip any object-group BLOCK_RFC_1918

Hope that helps

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card