06-23-2003 04:53 PM - edited 03-02-2019 08:21 AM
hi, i've just put my new web-server into DMZ zone and allowed only http, ftp(from internal), echo access into it. but i'm still confused between in and out ACLs. Now I am not able to update or browse from this server.
They seem OK to me, since I am the one who wrote these ACLs.
Acl 102 is applied on f0/1 (out), and 103 on f0/1 (in).
Many thanks for any suggestions and helps.
access-list 102 permit tcp any host ip.of.web.srv established
access-list 102 permit tcp any host ip.of.web.srv eq www
access-list 102 permit icmp any host ip.of.web.srv echo
access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp
access-list 103 permit tcp host ip.of.web.srv any established
access-list 103 permit tcp host ip.of.web.srv gt 1023 any eq www
access-list 103 permit tcp host ip.of.web.srv gt 1023 any eq ftp
access-list 103 permit icmp host ip.of.web.srv any echo-reply
access-list 103 permit tcp host ip.of.web.srv gt 1023 any eq domain
access-list 103 permit udp host ip.of.web.srv gt 1023 any eq domain
Best regards,
b.go
Solved! Go to Solution.
06-24-2003 07:55 AM
Regarding the "unable to update FTP" issue, it looks like your access-lists should have the command/control connection set up OK, but I see no provisions for the data connection. Data connection can also be either Active FTP or Passive FTP.
Here's some lines that should work for you, to allow users on your internal.local.net to update your ip.of.web.serv using FTP:
! For command/control connection
access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp
! for ACTIVE FTP data connection
access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp-data established
! for PASSIVE FTP data connection
access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv gt 1023
! for command/control connection
access-list 103 permit tcp host ip.of.web.srv eq ftp any gt 1023 established
! for ACTIVE FTP data connection
access-list 103 permit tcp host ip.of.web.srv eq ftp-data any gt 1023
! for PASSIVE FTP data connection
access-list 103 permit tcp host ip.of.web.srv gt 1023 any gt 1023 established
Regarding the "unable to browse from this server" issue, it looks like your access-list 102 does not allow UDP-based DNS Server replies back to your machine. UDP is what's generally used for client-to-DNS-Server address resolution requests. Try these:
access-list 102 permit udp any eq domain host ip.of.web.srv gt 1023
access-list 103 permit udp host ip.of.web.srv gt 1023 any eq domain
Hope this helps.
06-24-2003 07:55 AM
Regarding the "unable to update FTP" issue, it looks like your access-lists should have the command/control connection set up OK, but I see no provisions for the data connection. Data connection can also be either Active FTP or Passive FTP.
Here's some lines that should work for you, to allow users on your internal.local.net to update your ip.of.web.serv using FTP:
! For command/control connection
access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp
! for ACTIVE FTP data connection
access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv eq ftp-data established
! for PASSIVE FTP data connection
access-list 102 permit tcp internal.local.net net_mask gt 1023 host ip.of.web.srv gt 1023
! for command/control connection
access-list 103 permit tcp host ip.of.web.srv eq ftp any gt 1023 established
! for ACTIVE FTP data connection
access-list 103 permit tcp host ip.of.web.srv eq ftp-data any gt 1023
! for PASSIVE FTP data connection
access-list 103 permit tcp host ip.of.web.srv gt 1023 any gt 1023 established
Regarding the "unable to browse from this server" issue, it looks like your access-list 102 does not allow UDP-based DNS Server replies back to your machine. UDP is what's generally used for client-to-DNS-Server address resolution requests. Try these:
access-list 102 permit udp any eq domain host ip.of.web.srv gt 1023
access-list 103 permit udp host ip.of.web.srv gt 1023 any eq domain
Hope this helps.
06-26-2003 02:53 AM
Hi, many thanks for your helps.
I'll need to study this further, still a little bit confused about command/control connection for ftp. All these works perfectly.
Thank you.
Best regards,
b.go
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: