Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router ACL question


I'm testing router ACL on PT, the following is interface description:

s0/1/0 connecting to internet

fa0/0 connectin to local lan (

fa0/1 connectin to DMZ (

NAT also enabled for overload with lan and nat with DMZ servers for internet access with public IP.

The question is I want to apply ACL with the following description:

1. Internet can't access to local lan, but can access to DMZ servers.

2. Local lan only can access to internet with 80 port and all DMZ servers.

3. DMZ servers can access to internet, but can't access to local lan.

I tried many times to create ACLs, but no luck, please help.

Thanks !!


Re: Router ACL question

Hi, i think you re looking for something like this:


ip access-list ext  LAN-2-DMZ-INET-IN

permit tcp any any eq www                     (allow traffic from lan to dmz and inet for www)

ip access-list ext  LAN-2-DMZ-INET-OUT

permit ip any     (allow only traffic back for but no other traffic from dmz or inet)

interface Fa0/0                                          (apply acl to interface)

ip acces-group LAN-2-DMZ-INET-IN in

ip acces-group LAN-2-DMZ-INET-OUT out


ip access-list ext  DMZ-2-INET-IN

deny ip any                 (deny dmz traffic to lan)

permit ip any any                                              (allow any other traffic)

ip access-list ext  DMZ-2-INET-OUT

permit ip any any (allow any traffic to dmz)

apply to interface

interface Fa0/1

ip access-group DMZ-2-INET-IN in

ip access-group DMZ-2-INET-OUT out

But i see 2 issues:

* I dont understand the overlap and ? better make it or something

** i dont know where the nat overload is performed in the network so had to improvise

CreatePlease to create content