ACL

Answered Question
Sep 9th, 2009

Three questions:

1. I need to allow internet for inside users say(ports 80,443)which interface i need to apply the acl & has what?

2. I need to access the FTP server in internet from one particular system in inside say(system ip 192.168.100.25 & ftp 216.87.172.x)what will be the acl & which interface we need to apply.

3. let say i have natted one inside system with public IP i have to access this system thru rdp(port 3389) from internet. what is the acl & where we need to apply?

I have this problem too.
0 votes

based on your original post, and the last posting my acl would look something like:-

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS

access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server

access-list inside-out permit udp any any eq 53 - inside DNS

access-list inside-out permit icmp any any - for troubleshooting IP connectivity

access-list inside-out deny ip any any log - log all deny access from inside out.

access-group inside-out in interface inside

I would re-write my original outside acl to

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any unreachable

access-list outside-inextended permit icmp any any traceroute

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside

HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
gandhi.ganesh Thu, 09/10/2009 - 02:21

Hi Andrew,

my second question was :

As a security policy we will not allow ftp access to any users to outside only

ondemand we will provide the access.

ex: inside subnet(192.168.100.0/24)

user who needs the access(192.168.100.50)

third party FTP server(216.87.X.X)

how is the ACL should look?

Correct Answer

based on your original post, and the last posting my acl would look something like:-

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS

access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server

access-list inside-out permit udp any any eq 53 - inside DNS

access-list inside-out permit icmp any any - for troubleshooting IP connectivity

access-list inside-out deny ip any any log - log all deny access from inside out.

access-group inside-out in interface inside

I would re-write my original outside acl to

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any unreachable

access-list outside-inextended permit icmp any any traceroute

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside

HTH>

Actions

This Discussion