08-23-2008 08:31 AM - edited 03-11-2019 06:35 AM
I'm fairly new to Cisco, and was thrown in the fire to take care of the network, including all of our Cisco equipment.
I want to use an ACL to block all outgoing traffic from a cluster except for certain IPs out on the net.
After looking around, this is what I've come up with. Please help me out and correct my mistakes. I have an ASA 5520.
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-list Restrict_SQL extended deny tcp host 10.0.40.153 0.0.0.0 255.255.255.255 any
access-group Restrict_SQL out interface inside
08-23-2008 08:56 AM
You need only 2 ACL statements :
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
Rest traffic will be denied implicitly.
And put the ACL either on Inbound Inside or Outbound Outside
access-group Restrict_SQL out interface Outside
or
access-group Restrict_SQL in interface Inside
08-23-2008 09:10 AM
Since its a cluster, I need to restrict it from 10.0.40.153 and 10.0.40.152, so the total statement would look like this:
access-list Restrict_SQL extended permit tcp host 10.0.40.152 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.152 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-list Restrict_SQL extended permit tcp host 10.0.40.153 host "client_IP" any
access-group Restrict_SQL out interface Outside
I'll use the outbound Outside since I still want the server to be able to talk to the DMZ servers.
Thanks for the quick reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide