Re: Access-list for internet

luciano_rangel · ‎09-29-2009

Good afternoon

I have a firewall with three interfaces (outside, inside "172.16.0.0/16" and dmz "10.1.1.0/24") and I need access from inside network to internet on port 80 as access-list below.

access-list inside_access_in extended permit tcp host 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http

What would be the best practice for the machines in network inside dont access others networks on port 80, already destination is any?

Create a deny rule in the middle of the example below

access-list inside_access_in extended deny ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http

OR

Create outbound access-list on interface dmz?

Thanks for all

Jon Marshall · ‎09-29-2009

Luciano

Doesn't make a huge amount of difference. Personally i would go with your first example ie.

access-list inside_access_in extended deny ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http

Jon

luciano_rangel · ‎09-29-2009

Hi Jon,

Endende that by creating an outbound access-list we would have another access-list to be read and this would affect the access time to the devices.

Am I correct?

Thanks for help.

Jon Marshall · ‎09-29-2009

Luciano

"that by creating an outbound access-list we would have another access-list to be read and this would affect the access time to the devices."

Yes but probably not that noticeable. However there is an argument to say drop the traffic on the nearest interface to the source. That way the traffic does not have to go from the inside to the DMZ interface before being dropped. That's why i would go with your first option.

Jon