Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL

Three questions:

1. I need to allow internet for inside users say(ports 80,443)which interface i need to apply the acl & has what?

2. I need to access the FTP server in internet from one particular system in inside say(system ip 192.168.100.25 & ftp 216.87.172.x)what will be the acl & which interface we need to apply.

3. let say i have natted one inside system with public IP i have to access this system thru rdp(port 3389) from internet. what is the acl & where we need to apply?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACL

based on your original post, and the last posting my acl would look something like:-

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS

access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server

access-list inside-out permit udp any any eq 53 - inside DNS

access-list inside-out permit icmp any any - for troubleshooting IP connectivity

access-list inside-out deny ip any any log - log all deny access from inside out.

access-group inside-out in interface inside

I would re-write my original outside acl to

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any unreachable

access-list outside-inextended permit icmp any any traceroute

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside

HTH>

5 REPLIES

Re: ACL

Gandhi,

To answer your questions:-

1) No acl is requried - all traffic is allowed from the inside to the outside by default

2) See 1

3) Your acl would read something like:-

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside

HTH>

New Member

Re: ACL

Hi Andrew,

my second question was :

As a security policy we will not allow ftp access to any users to outside only

ondemand we will provide the access.

ex: inside subnet(192.168.100.0/24)

user who needs the access(192.168.100.50)

third party FTP server(216.87.X.X)

how is the ACL should look?

Re: ACL

based on your original post, and the last posting my acl would look something like:-

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP

access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS

access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server

access-list inside-out permit udp any any eq 53 - inside DNS

access-list inside-out permit icmp any any - for troubleshooting IP connectivity

access-list inside-out deny ip any any log - log all deny access from inside out.

access-group inside-out in interface inside

I would re-write my original outside acl to

access-list outside-in extended permit icmp any any echo-reply

access-list outside-in extended permit icmp any any unreachable

access-list outside-inextended permit icmp any any traceroute

access-list outside-in extended permit icmp any any time-exceeded

access-list outside-in permit tcp any host <> eq 3389

access-group outside-in in interface outside

HTH>

New Member

Re: ACL

Thx for ur help buddy......

Re: ACL

sure - np glad to help

116
Views
0
Helpful
5
Replies