Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access-list for DMZ on bridged 3725 routeur

hi all,

i have a xxx.xxx.xxx.224/29 subnet from my isp.

xxx.xxx.xxx.225 used by dsl modem.

xxx.xxx.xxx.226 used by bridge interface on cisco 3725 and xxx.xxx.xxx.227-229 used by pc's.

cisco 3725 configuration :

!

bridge irb

!

interface BVI29

ip address xxx.xxx.xxx.226 255.255.255.248

ip access-group 150 in

no ip redirects

ip nat outside

!

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.225

bridge 29 protocol ieee

bridge 29 route ip

!

here is my access-list used by bridge interface input :

!

! DOMAIN (permit dmz host to dns server)

access-list 150 permit udp host xxx.xxx.xxx.227 any eq 53

!

! HTTP (permit dmz host to http servers)

access-list 150 permit tcp host xxx.xxx.xxx.227 any eq 80

! (permit any to my http server)

access-list 150 permit tcp host xxx.xxx.xxx.227 eq 80 any

!

! HTTPS (permit dmz host to https servers)

access-list 150 permit tcp host xxx.xxx.xxx.227 any eq 443

!

!

access-list 150 deny ip any any log

My problem is that all UDP packets from internet to any dmz hosts are permit ?!

Someone can help ?

1 REPLY
New Member

Re: Access-list for DMZ on bridged 3725 routeur

I'm not sure of the question, but I think you are saying that UDP traffic is getting through to all hosts? No. UDP traffic is getting through to your DNS server, but when you use the access-list 150 deny ip will block all traffic nbot specifically allowed by the permit statements.

112
Views
0
Helpful
1
Replies