Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ACLs to block traffic from cluster

I'm fairly new to Cisco, and was thrown in the fire to take care of the network, including all of our Cisco equipment.

I want to use an ACL to block all outgoing traffic from a cluster except for certain IPs out on the net.

After looking around, this is what I've come up with. Please help me out and correct my mistakes. I have an ASA 5520.

access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any

access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any

access-list Restrict_SQL extended deny tcp host 10.0.40.153 0.0.0.0 255.255.255.255 any

access-group Restrict_SQL out interface inside

2 REPLIES

Re: ACLs to block traffic from cluster

You need only 2 ACL statements :

access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any

access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any

Rest traffic will be denied implicitly.

And put the ACL either on Inbound Inside or Outbound Outside

access-group Restrict_SQL out interface Outside

or

access-group Restrict_SQL in interface Inside

Community Member

Re: ACLs to block traffic from cluster

Since its a cluster, I need to restrict it from 10.0.40.153 and 10.0.40.152, so the total statement would look like this:

access-list Restrict_SQL extended permit tcp host 10.0.40.152 host "client_IP" any

access-list Restrict_SQL extended permit tcp host 10.0.40.152 host "client_IP" any

access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any

access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any

access-group Restrict_SQL out interface Outside

I'll use the outbound Outside since I still want the server to be able to talk to the DMZ servers.

Thanks for the quick reply.

119
Views
0
Helpful
2
Replies
CreatePlease to create content