Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

simple ACL confusion

Hi All,

I just need to clarify a few simple rule to clear my doubts off.

Apparently i have a outside, inside and DMZ interface.

dmz-server = 172.16.10.10

inside-server = 192.168.1.254'

I just need 2 simple rule.

1. DMZ-server to access inside-server IP only, and deny anything else Inside

2. DMZ-Server to access internet

1. access-list dmz_access_in line 1 extended permit ip object DMZ-Server object INSIDE-SERVER

2. access-list dmz_access_in line 2 extended permit ip object DMZ-Server any

My objective is for DMZ-server to access to only 192.168.1.254, deny to all other inside IP.

Is my above ACL correct? To me, the above 2. ACL seems like overwriting the above rule.

Or am i missing out a DENY rule? if so which order should they be

Please advise.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

simple ACL confusion

Hi,

Simply configure the following ACL

1. access-list dmz_access_in line 1 extended permit ip object DMZ-Server object INSIDE-SERVER

2. access-list dmz_access_in line 2 extended deny ip object DMZ-Server 192.168.1.0 255.255.255.0

3. access-list dmz_access_in line 3 extended permit ip object DMZ-Server any

Assuming the INSIDE network is 192.168.1.0/24

This will basically do the following

- Allow traffic from the DMZ server to the INSIDE Server

- Block all other traffic from the DMZ -server to the INSIDE network

- Permit all the rest of the traffic from DMZ-server to any other network (for example to all public IP addresses and other LAN networks if you have any)

- Jouni

2 REPLIES
Super Bronze

simple ACL confusion

Hi,

Simply configure the following ACL

1. access-list dmz_access_in line 1 extended permit ip object DMZ-Server object INSIDE-SERVER

2. access-list dmz_access_in line 2 extended deny ip object DMZ-Server 192.168.1.0 255.255.255.0

3. access-list dmz_access_in line 3 extended permit ip object DMZ-Server any

Assuming the INSIDE network is 192.168.1.0/24

This will basically do the following

- Allow traffic from the DMZ server to the INSIDE Server

- Block all other traffic from the DMZ -server to the INSIDE network

- Permit all the rest of the traffic from DMZ-server to any other network (for example to all public IP addresses and other LAN networks if you have any)

- Jouni

Community Member

simple ACL confusion

Thank u very much.!

241
Views
0
Helpful
2
Replies
CreatePlease to create content