ACL

Answered Question
Sep 9th, 2009
User Badges:

Three questions:

1. I need to allow internet for inside users say(ports 80,443)which interface i need to apply the acl & has what?

2. I need to access the FTP server in internet from one particular system in inside say(system ip 192.168.100.25 & ftp 216.87.172.x)what will be the acl & which interface we need to apply.

3. let say i have natted one inside system with public IP i have to access this system thru rdp(port 3389) from internet. what is the acl & where we need to apply?

Correct Answer by andrew.prince@m... about 7 years 10 months ago

based on your original post, and the last posting my acl would look something like:-


access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS

access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server

access-list inside-out permit udp any any eq 53 - inside DNS

access-list inside-out permit icmp any any - for troubleshooting IP connectivity

access-list inside-out deny ip any any log - log all deny access from inside out.


access-group inside-out in interface inside


I would re-write my original outside acl to


access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any unreachable

access-list outside-inextended permit icmp any any traceroute

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside


HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
andrew.prince@m... Thu, 09/10/2009 - 01:26
User Badges:
  • Green, 3000 points or more

Gandhi,


To answer your questions:-


1) No acl is requried - all traffic is allowed from the inside to the outside by default


2) See 1


3) Your acl would read something like:-


access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside


HTH>

gandhi.ganesh Thu, 09/10/2009 - 02:21
User Badges:

Hi Andrew,

my second question was :

As a security policy we will not allow ftp access to any users to outside only

ondemand we will provide the access.

ex: inside subnet(192.168.100.0/24)

user who needs the access(192.168.100.50)

third party FTP server(216.87.X.X)


how is the ACL should look?

Correct Answer
andrew.prince@m... Thu, 09/10/2009 - 02:32
User Badges:
  • Green, 3000 points or more

based on your original post, and the last posting my acl would look something like:-


access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS

access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server

access-list inside-out permit udp any any eq 53 - inside DNS

access-list inside-out permit icmp any any - for troubleshooting IP connectivity

access-list inside-out deny ip any any log - log all deny access from inside out.


access-group inside-out in interface inside


I would re-write my original outside acl to


access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any unreachable

access-list outside-inextended permit icmp any any traceroute

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside


HTH>

Actions

This Discussion