11-16-2011 05:50 AM - edited 03-11-2019 02:51 PM
access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_9 any
access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_19 NonRoutableDMZ 255.255.255.0
object-group network DM_INLINE_NETWORK_9
network-object 192.168.5.0 255.255.255.0
network-object 74.254.111.16 255.255.255.240
object-group network DM_INLINE_NETWORK_19
group-object Saturn_net
group-object Pluto-all-networks
name 192.168.5.0 NonRoutableDMZ
object-group network Saturn_net
network-object 192.168.20.0 255.255.255.0
network-object 192.168.55.0 255.255.255.0
network-object 192.168.9.0 255.255.255.0
object-group network Pluto-all-networks
description Pluto networks
network-object 20.110.208.0 255.255.255.0
network-object 20.110.209.0 255.255.255.0
network-object 20.110.210.0 255.255.255.0
network-object 20.110.211.0 255.255.255.0
network-object 20.110.212.0 255.255.255.0
network-object 20.110.213.0 255.255.255.0
network-object 20.110.214.0 255.255.255.0
network-object 20.110.215.0 255.255.255.0
network-object 20.110.216.0 255.255.255.0
network-object 20.110.217.0 255.255.255.0
network-object vpn_net 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object host isf_net
network-object 192.168.50.0 255.255.255.0
access-group dmzdot5_access_in in interface dmzdot5
It seems as if the dmzdot5_access_in interface is applied in the inbound direction on interface dmzdot5.
The dmzdot5 network only has 192.168.5.0/24 on it, with 192.168.5.1 as the default gateway, which is the
interface ip of dmzdot5. According to the follow it appears as if all these networks would be in the source ip
field in the IP header
access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_9 any
access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_19 NonRoutableDMZ 255.255.255.0
Would having all these addresses in the source even do anything? I would think it should be
from 192.168.5.0 255.255.255.0 to a,b,c,d,e,f (or whatever networks) and not a,b,c,d,e,f(or whatever networks) to 192.168.5.0 255.255.255.0
Solved! Go to Solution.
11-16-2011 07:12 AM
Absolutely, the direction of the traffic is coming into the dmzdot5 interface. Moreover the two access-list don't make sense, on the above acl you have destination any whihc means the second acl would never be hit.
Hope that helps
Thanks,
Varun
11-16-2011 06:19 AM
Hi John,
Whenever you define object-group in the ACL, then int means if the source ip is any ip defined in the subnets in the object-group, even if any single ip from the defined networks fall under the ACL , it would be allowed.
Let me know if you have any questions.
Thanks,
Varun
11-16-2011 06:52 AM
access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_9 any
access-list dmzdot5_access_in extended permit ip object-group DM_INLINE_NETWORK_19 NonRoutableDMZ 255.255.255.0
I understand object groups, just having trouble understand this line. From my understand, it's saying
any ip/network under DM_INLINE_NETWORK_9 is allowed to any destination. And any ip/network
under DM_INLINE_NETWORK_19 to NonROutableDMZ 255.255.255.0 is allowed.
This acccess list is applied in the inbound direction on the dmzdot5 interface. I'm assuming that inbound on
the dmzdot5 interface means if you're on a computer with ip in the dmzdot5 range, the packets coming to
the dmzdot5 interface is in the inbound direction?
11-16-2011 07:12 AM
Absolutely, the direction of the traffic is coming into the dmzdot5 interface. Moreover the two access-list don't make sense, on the above acl you have destination any whihc means the second acl would never be hit.
Hope that helps
Thanks,
Varun
11-16-2011 07:44 AM
Yeah, the second ACL makes no sense at all. It's basically sayin if all these networks are the source ip.... Would would
never be considering the network range for hosts on that networ kare 192.186.5.0/24....
I got another quick question. Let's say in theory if I am on a network with a higher security-level than dmzdot5,
and the traffic is initiated to, let's say a server, I could put a deny any any on the inbound direction on dmzdot5
and traffic would still get through, since traffic was not sourced from any computer inside the 192.168.5.0 but
was sourced from any interface with a higher security level?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide