Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-list for internet

Good afternoon

I have a firewall with three interfaces (outside, inside "172.16.0.0/16" and dmz "10.1.1.0/24") and I need access from inside network to internet on port 80 as access-list below.

access-list inside_access_in extended permit tcp host 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http

What would be the best practice for the machines in network inside dont access others networks on port 80, already destination is any?

Create a deny rule in the middle of the example below

access-list inside_access_in extended deny ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http

OR

Create outbound access-list on interface dmz?

Thanks for all

3 REPLIES
Hall of Fame Super Blue

Re: Access-list for internet

Luciano

Doesn't make a huge amount of difference. Personally i would go with your first example ie.

access-list inside_access_in extended deny ip 172.16.0.0 255.255.0.0 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 0.0.0.0 0.0.0.0 eq http

Jon

New Member

Re: Access-list for internet

Hi Jon,

Endende that by creating an outbound access-list we would have another access-list to be read and this would affect the access time to the devices.

Am I correct?

Thanks for help.

Hall of Fame Super Blue

Re: Access-list for internet

Luciano

"that by creating an outbound access-list we would have another access-list to be read and this would affect the access time to the devices."

Yes but probably not that noticeable. However there is an argument to say drop the traffic on the nearest interface to the source. That way the traffic does not have to go from the inside to the DMZ interface before being dropped. That's why i would go with your first option.

Jon

127
Views
0
Helpful
3
Replies
CreatePlease to create content