Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
0
Helpful
0
Replies

Setting up ACL for DMZ

Kristian Leth
Level 1
Level 1

‎06-25-2014 11:06 AM

Hello.

 

I have a SG300, with 3 networks on it.

A Server net (192.168.2.x - vlan 1) a DMZ (192.168.3.x - vlan 12 ) and a Guest net (192.168.4.x - vlan 10)

 

All this works fine, the computers / servers can reach each other - but they are not supposed to :)

 

When applying this access lists to the Server and DMZ vlan, then all connections goes down.

 

Server:

ip access-list extended Server
permit ip any any

 

 

The server net need full access to the other networks.

 

 

DMZ:

 

ip access-list extended DMZ
permit udp any any 192.168.2.9 0.0.0.0 domain
permit udp any any 192.168.2.10 0.0.0.0 domain
permit tcp any any 192.168.2.15 0.0.0.0 445
permit tcp any any 192.168.2.15 0.0.0.0 137-139
permit udp any any 192.168.2.15 0.0.0.0 137-139
permit tcp any any 192.168.2.19 0.0.0.0 8530

 

 

When trying from a FTP server (192.168.3.10) to telnet to 192.168.2.19 on port 8530 (WSUS), then its not working.

But when removing the ACL from the VLAN, then it works perfectly :(

 

At VLAN 12, im using this command:

service-acl input DMZ default-action permit-any

 

What am i doing wrong?

 

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents