Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

outside host to DMZ

Block internet host to DMZ, is this correct?

access-list dmz_acl extended deny ip host x.x.x.x any

access-list dmz_acl permit ip any any

access-group dmz_acl in interface dmz

If i will block host x.x.x.x on ftp traffic to DMZ:

access-list dmz_acl deny host x.x.x.x any eq 21

access-list dmz_acl permit ip any any

access-group dmz_acl in interface dmz

pls correct me if wrong ..

4 REPLIES
New Member

Re: outside host to DMZ

Not sure if I understand your question correctly. Are you trying to block a host in DMZ to go to the Internet? If so, your commands are ok.

But for FTP, your commands didn't specify the protocol type, in this case, it is TCP. It should go like this- (The commands below only block FTP traffic from host x.x.x.x, but allowing any other)

access-list dmz_acl deny tcp host x.x.x.x any eq 21

access-list dmz_acl deny tcp host x.x.x.x any eq 20

access-list dmz_acl permit ip any any

access-group dmz_acl in interface dmz

New Member

Re: outside host to DMZ

block outside host to access into the DMZ network.

Outside host - means from an internet host

New Member

Re: outside host to DMZ

Oh. Then this is wrong. Let's assume some IP addresses here first. If your DMZ server real IP address is 192.168.10.10, and it's NAT'ted public IP is 12.12.12.12. And the host from Internet you want to block has the IP of 33.33.33.33. The following will block all access from the internet host 33.33.33.33 to your DMZ server 12.12.12.12 (192.168.10.10). (Only necessary commands are shown)

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.12.12.2 255.255.255.0

!

interface Ethernet0/1

nameif dmz

security-level 50

ip address 192.168.10.1 255.255.255.0

!

static (dmz,outside) 12.12.12.12 192.168.10.10 netmask 255.255.255.255

!

access-list outside_acl_in extended deny ip host 33.33.33.33 host 12.12.12.12

!

access-group outside_acl_in in interface outside

!

For FTP, use this ACL-

access-list outside_acl_in extended deny tcp host 33.33.33.33 host 12.12.12.12 eq ftp

New Member

Re: outside host to DMZ

if i do this, host 33.33.33.33 is completely block to any kind of traffic destined to the inside or dmz. Is that right?

access-list outside_acl deny ip host 33.33.33.33 any

176
Views
0
Helpful
4
Replies