Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router ACL question

Hello,

I'm testing router ACL on PT, the following is interface description:

s0/1/0 connecting to internet

fa0/0 connectin to local lan (192.168.0.0/24)

fa0/1 connectin to DMZ (192.168.0.0/27)

NAT also enabled for overload with lan and nat with DMZ servers for internet access with public IP.

The question is I want to apply ACL with the following description:

1. Internet can't access to local lan, but can access to DMZ servers.

2. Local lan only can access to internet with 80 port and all DMZ servers.

3. DMZ servers can access to internet, but can't access to local lan.

I tried many times to create ACLs, but no luck, please help.

Thanks !!

1 REPLY

Re: Router ACL question

Hi, i think you re looking for something like this:

LAN

ip access-list ext  LAN-2-DMZ-INET-IN

permit tcp any any eq www                     (allow traffic from lan to dmz and inet for www)

ip access-list ext  LAN-2-DMZ-INET-OUT

permit ip any 192.168.0.0 0.0.0.255     (allow only traffic back for 192.168.0.0 but no other traffic from dmz or inet)

interface Fa0/0                                          (apply acl to interface)

ip acces-group LAN-2-DMZ-INET-IN in

ip acces-group LAN-2-DMZ-INET-OUT out

DMZ

ip access-list ext  DMZ-2-INET-IN

deny ip any 192.168.0.0 0.0.0.255                 (deny dmz traffic to lan)

permit ip any any                                              (allow any other traffic)

ip access-list ext  DMZ-2-INET-OUT

permit ip any any (allow any traffic to dmz)

apply to interface

interface Fa0/1

ip access-group DMZ-2-INET-IN in

ip access-group DMZ-2-INET-OUT out

But i see 2 issues:

* I dont understand the overlap 192.168.0.0/24 and 192.168.0.0/27 ? better make it 192.168.1.0/27 or something

** i dont know where the nat overload is performed in the network so had to improvise

282
Views
0
Helpful
1
Replies
CreatePlease to create content