09-29-2009 01:23 PM - edited 03-11-2019 09:21 AM
Good afternoon
I have a firewall with three interfaces (outside, inside "172.16.0.0/16" and dmz "10.1.1.0/24") and I need access from inside network to internet on port 80 as access-list below.
access-list inside_access_in extended permit tcp host 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http
What would be the best practice for the machines in network inside dont access others networks on port 80, already destination is any?
Create a deny rule in the middle of the example below
access-list inside_access_in extended deny ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http
OR
Create outbound access-list on interface dmz?
Thanks for all
09-29-2009 01:38 PM
Luciano
Doesn't make a huge amount of difference. Personally i would go with your first example ie.
access-list inside_access_in extended deny ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http
Jon
09-29-2009 01:54 PM
Hi Jon,
Endende that by creating an outbound access-list we would have another access-list to be read and this would affect the access time to the devices.
Am I correct?
Thanks for help.
09-29-2009 02:04 PM
Luciano
"that by creating an outbound access-list we would have another access-list to be read and this would affect the access time to the devices."
Yes but probably not that noticeable. However there is an argument to say drop the traffic on the nearest interface to the source. That way the traffic does not have to go from the inside to the DMZ interface before being dropped. That's why i would go with your first option.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: