×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

simple ACL confusion

Answered Question
Jul 17th, 2012
User Badges:

Hi All,


I just need to clarify a few simple rule to clear my doubts off.


Apparently i have a outside, inside and DMZ interface.


dmz-server = 172.16.10.10

inside-server = 192.168.1.254'


I just need 2 simple rule.


1. DMZ-server to access inside-server IP only, and deny anything else Inside

2. DMZ-Server to access internet



1. access-list dmz_access_in line 1 extended permit ip object DMZ-Server object INSIDE-SERVER

2. access-list dmz_access_in line 2 extended permit ip object DMZ-Server any



My objective is for DMZ-server to access to only 192.168.1.254, deny to all other inside IP.

Is my above ACL correct? To me, the above 2. ACL seems like overwriting the above rule.

Or am i missing out a DENY rule? if so which order should they be


Please advise.

Correct Answer by Jouni Forss about 5 years 1 month ago

Hi,


Simply configure the following ACL


1. access-list dmz_access_in line 1 extended permit ip object DMZ-Server object INSIDE-SERVER

2. access-list dmz_access_in line 2 extended deny ip object DMZ-Server 192.168.1.0 255.255.255.0

3. access-list dmz_access_in line 3 extended permit ip object DMZ-Server any


Assuming the INSIDE network is 192.168.1.0/24


This will basically do the following


- Allow traffic from the DMZ server to the INSIDE Server

- Block all other traffic from the DMZ -server to the INSIDE network

- Permit all the rest of the traffic from DMZ-server to any other network (for example to all public IP addresses and other LAN networks if you have any)


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jouni Forss Tue, 07/17/2012 - 02:37
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Simply configure the following ACL


1. access-list dmz_access_in line 1 extended permit ip object DMZ-Server object INSIDE-SERVER

2. access-list dmz_access_in line 2 extended deny ip object DMZ-Server 192.168.1.0 255.255.255.0

3. access-list dmz_access_in line 3 extended permit ip object DMZ-Server any


Assuming the INSIDE network is 192.168.1.0/24


This will basically do the following


- Allow traffic from the DMZ server to the INSIDE Server

- Block all other traffic from the DMZ -server to the INSIDE network

- Permit all the rest of the traffic from DMZ-server to any other network (for example to all public IP addresses and other LAN networks if you have any)


- Jouni

Actions

This Discussion

Related Content