cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
654
Views
0
Helpful
5
Replies

ACL

gandhi.ganesh
Level 1
Level 1

Three questions:

1. I need to allow internet for inside users say(ports 80,443)which interface i need to apply the acl & has what?

2. I need to access the FTP server in internet from one particular system in inside say(system ip 192.168.100.25 & ftp 216.87.172.x)what will be the acl & which interface we need to apply.

3. let say i have natted one inside system with public IP i have to access this system thru rdp(port 3389) from internet. what is the acl & where we need to apply?

1 Accepted Solution

Accepted Solutions

based on your original post, and the last posting my acl would look something like:-

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS

access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server

access-list inside-out permit udp any any eq 53 - inside DNS

access-list inside-out permit icmp any any - for troubleshooting IP connectivity

access-list inside-out deny ip any any log - log all deny access from inside out.

access-group inside-out in interface inside

I would re-write my original outside acl to

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any unreachable

access-list outside-inextended permit icmp any any traceroute

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside

HTH>

View solution in original post

5 Replies 5

andrew.prince
Level 10
Level 10

Gandhi,

To answer your questions:-

1) No acl is requried - all traffic is allowed from the inside to the outside by default

2) See 1

3) Your acl would read something like:-

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside

HTH>

Hi Andrew,

my second question was :

As a security policy we will not allow ftp access to any users to outside only

ondemand we will provide the access.

ex: inside subnet(192.168.100.0/24)

user who needs the access(192.168.100.50)

third party FTP server(216.87.X.X)

how is the ACL should look?

based on your original post, and the last posting my acl would look something like:-

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS

access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server

access-list inside-out permit udp any any eq 53 - inside DNS

access-list inside-out permit icmp any any - for troubleshooting IP connectivity

access-list inside-out deny ip any any log - log all deny access from inside out.

access-group inside-out in interface inside

I would re-write my original outside acl to

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any unreachable

access-list outside-inextended permit icmp any any traceroute

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside

HTH>

Thx for ur help buddy......

sure - np glad to help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: