Hello. We have 2 cisco 5520's that we are going to replace our PIx 515's. We are running the boxes in routed single context mode in an active/standby failover. The we have four interfaces, outside security 0, inside security 100, dmz security 50, and management security 100.
So far I have configured dynamic NAT for the inside and Management interfaces(we will have some hosts on this subnet). What I want to do next is configure the ACL's, and im very confused on how to go about it. We want to permit HTTPS, FTP, POP3, SMTP, and WWW to come into the network from the outside. I do have some static NAT's configured for each of these protocols. I will be translating them to be on an IP address inside the DMZ of course.
Am i correct in assuming i need to apply inbound access lists on the outside interface permitting https, www, ftp, pop3, smtp, and www? If so, what do i configure next to allow this protocol specific traffic to enter the dmz interface and talk to the servers?
Also, for hosts on the inside, and Management interfaces, Since their security is at 100, they should be able to access the outside to get to the internet by default correct? Or do i need to specificly allow that as well with an acl?
If you are just wanting to allow traffic initiated from outside into your DMZ for HTTP FTP....etc, and not allow your servers in your DMZ to iniate traffic to anything then you'll apply an ACL on your outside interface allowing that traffic in. You would then apply an ACL on your DMZ interface that deny's all traffic.
access-list outside_in extended permit any host x.x.x.x eq http
access-list outside_in extended permit any host x.x.x.x eq smtp
access-list outside_in extended permit any host x.x.x.x eq etc
!apply this acl now to the outside
access-group outside_in in interface outside
!now create your deny acl
access-list deny-all extended deny ip any any
!apply this acl to the DMZ interface
access-group deny-all in interface DMZ
Now the reason this works is because the firewall is stateful and it acts like a reflexive access-list which when traffic is allowed in to the outside interface and dropped onto the DMZ state is recorded for that session so that when return traffic is seen it is allowed out.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...