Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access list for DMZ

hi,

have an below subinterface,

interface GigabitEthernet0/2.50

description *** Connected to DMZ ****

vlan 50

nameif DMZ

security-level 50

ip address x.x.x.x/27

need to allow this subinterface accessible through out network

6 REPLIES
New Member

Access list for DMZ

Hi Anil.

apply an acl saying "any" can access your DMZ ip address on outisde interface.

Regards

Pankaj

New Member

Access list for DMZ

access-list DMZ_access_in extended permit ip X.X.X.X 255.255.255.224 any

access-list DMZ_access_in extended permit icmp X.X.X.X 255.255.255.224 any

access-group DMZ_access_in in interface OUTSIDE-ZONE

does this correct one or still need to add anything waiting

Super Bronze

Access list for DMZ

Hi,

You have to be a bit more specific in your question.

We would also need to know the software level possibly.

If you want to allow traffic to the DMZ from other local interfaces then you use those interfaces ACL to allow that traffic.

If you are talking about allowing traffic to DMZ from other remote network (Internet) then you will have to use the "outside" interfaces ACL to allow this traffic. In addition to this you naturally have to have a NAT configuration for the DMZ servers/hosts so that that they have a public IP address on which they can be accessed.

If you simply want to allow traffic from DMZ to anywhere else then you would use

access-list DMZ_access_in extended permit ip X.X.X.X 255.255.255.224 any

access-list DMZ_access_in extended permit icmp X.X.X.X 255.255.255.224 any

access-group DMZ_access_in in interface DMZ

- Jouni

New Member

Access list for DMZ

Hi,

thanks, thing is do have MPLS connectivity with other branch location

for those need to allow DMZ access

Super Bronze

Access list for DMZ

Hi,

Then we would need to know about your NAT and Routing configurations.

It might be that ACL configurations alone wont enable DMZ connectivity.

The best situation is usually to give the source/destination networks and the current configuration with masked public IP addresses and sensitive information. Otherwise the discussion might be needlesly complicated.

- Jouni

New Member

Access list for DMZ

Hi Anil,

yours will also do or you can also apply Jouni ACLs (both will work)

Regards

Pankaj

168
Views
0
Helpful
6
Replies
CreatePlease login to create content