I have below case:
ip address 10.20.28.1 255.255.252.0
ip nat inside
interface Serial0/0.3 point-to-point
ip address <real_ip> 255.255.255.192
ip nat outside
frame-relay interface-dlci 404
ip address real 255.255.255.192
to allow only telnet from INTERNET to DMZ.
to allow ALL traffic from DMZ and INTRANET to INTERNET.
Pleas, help me with ACL rules...
Solved! Go to Solution.
i think (i just a started with my ccna)
access-list 101 permit tcp 0.0.0.0 255.255.255.255 your.?.ser.ver 0.0.0.0 eq 23
RouterA(config)#ip nat inside source list 1 interface [interface to the internet] overload
RouterA(config)#access-list 1 permit any
You can use an EXTENDED ACL to permit only the telnet traffic and attach it to the outbound direction on the serial interface.
access-list 101 permit tcp
inet s 0/0.3
ip access-group 101 in
This should help you.
This might create some problems. If you apply this inbound on the serial interface you have in fact denied all other traffic other than telnet to the DMZ. This is probably not what is intended.
What might be a better solution is to apply your access-list on the DMZ interface in an outbound direction which would not interfere with the main traffic flow.
That is why i asked whether the poster wanted the intranet clients to be able to talk to the DMZ servers.
We can speculate on what he wanted , but the solution was given to the question that he asked. If anyone is asking a question that might have production impact, I would hope they would state that in the question.
I wasn't speculating on what he wanted and the answer given was not a solution to his problem.
The second part of the problem states that he wants to allow all traffic from the DMZ and the intranet out to the internet.
Now if you apply the access-list given on the serial interface in an inbound direction that would block ANY return traffic from the internet. The access-list is not stateful.
The post is not about Amit's requirements. Amit and yourself supplied an answer that did not meet the requirements of the original poster. There is some confusion over Amit's answer in that he talks about applying the acl outbound but the config shows it being applied inbound.
I have posted incorrect or misleading posts before and am the first to accept if i have made a mistake. The issue is really to make sure the user doesn't do something that breaks his network.
So i still can't see how it is speculation. The requirements are quite plain.
My bad, I meant the requirements of the original poster, not Amit. I admit that the answer given won't solve his entire requirement but I think more info is needed. I only read part of the message before I replied. I guess I've been away from the lab too long.
And i just got out of a very long boring and most importantly non-technical meeting so i wasn't in the best frame of mind.
Apologies if i came on a bit strong. No offense intended.
Do you want to allow anybody from your intranet to access the DMZ servers or do you just want people on the internet to have access to DMZ with telnet ?
This makes a difference in the access-list
Thanks everyone. Let me clarify.
Telnet was just example. In fact I need that:
1) ALL traffic from INTRANET to DMZ and INTERNET
2) ALL traffic from DMZ to INTERNET
3) SNMP and SNMPTRAPS from DMZ to INTRANET
4) ECHO, FTP, SSH, SMTP, DNS, TFTP, HTTP, POP3, NNTP, NTP, SNMP, SNMPTRAPS, HTTPS, SECURE POP3 from INTERNET to DMZ
and i want to use the next ACL (correct me if I wrong):
interface serial 0/0.3
ip access-group 120 in
access-list 120 permit tcp any any eq echo
access-list 120 permit udp any any eq echo
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq ftp-data established
access-list 120 permit tcp any any eq 22
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq domain
access-list 120 permit udp any any eq domain
access-list 120 permit udp any any eq tftp
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq pop3
access-list 120 permit tcp any any eq nntp
access-list 120 permit tcp any any eq 123
access-list 120 permit udp any any eq snmp
access-list 120 permit udp any any eq snmptrap
access-list 120 permit udp any any eq ntp
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 995
access-list 120 permit tcp any any eq telnet