DMZ Access List

SamiSheikh70964 — Sun, 21 Mar 2021 22:57:33 GMT

Hi,

I am trying to create an ACL for a host in DMZ which can receive emails from the outside, and send emails to one of our exchange servers internally. Also, to have HTTP/HTTPS access to the host from one of our jump boxes.

This is what I used:

ip access-list extended dmz_in
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 80 log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 80 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
exit

ip access-list extended dmz_out
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 80 log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 80 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
exit

interface Vlan225
ip access-group dmz_in in
exit
interface Vlan225
ip access-group dmz_out out
exit

10.1.100.200(Exchange Server)

10.1.225.200(DMZ SMTP host)

10.1.10.200(Jump box)

Basically 10.1.225.200 should be able to receive emails on port 25, 465, and 587 from anywhere on the internet and forward it to 10.1.100.200. However with this ACL, I can't even ping the gateway(10.1.225.254) from (10.1.225.200).

Can you please let me know what I have done wrong here?

Thanks

Re: DMZ Access List

Sheraz.Salim — Mon, 22 Mar 2021 08:54:27 GMT

could you share your configuration too.

ip access-list extended dmz_in
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 80 log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 80 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
exit
!
ip access-list extended dmz_out
permit ip any host 10.1.225.254 log
permit tcp host 10.2.225.200 host 10.1.100.200 eq 80 log      
permit tcp host 10.2.225.200 host 10.1.100.200 eq 443 log      
permit tcp host 10.2.225.200 host host 10.2.10.200 eq 80 log           
permit tcp host 10.2.225.200 host host 10.2.10.200eq 443 log       
exit
!
interface Vlan225
ip access-group dmz_in in
exit
!
interface Vlan225
ip access-group dmz_out out
exit
(OR)

ip access-list extended dmz_in
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 80 log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 80 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
exit
!

interface Vlan225
ip access-group dmz_in in
exit
interface Vlan225
no ip access-group dmz_out out
exit

take out the dmz_out out from the configuration so that you looking at tshooting make easier to pin point where the issue is.

Re: DMZ Access List

SamiSheikh70964 — Mon, 29 Mar 2021 15:04:45 GMT

Hi Sheraz,

Here is a copy of the config:

spanning-tree mode rapid-pvst
spanning-tree portfast edge default
spanning-tree extend system-id
spanning-tree backbonefast
lacp system-priority 200
port-channel load-balance src-dst-ip
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel1
 description CAPQMTL01260101 QUAD PORT VSPHERE
 switchport trunk allowed vlan 1,10,100,200,225,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
 spanning-tree portfast edge trunk
!
interface Port-channel2
 description CAPQMTL01230101 DUAL PORT HYPER-V
 switchport trunk allowed vlan 1,10,100,150,200
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast edge trunk
!
interface Port-channel3
 description "CAPQMTL01260101 SECONDARY QUAD PORT VSPHERE"
 switchport trunk allowed vlan 1,10,100,200,225,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
 spanning-tree portfast edge trunk
!
interface Port-channel4
 description "ASUS BACKUP QUAD PORT"
 switchport trunk allowed vlan 1,10,100,150,200,254
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 150
 switchport mode trunk
 spanning-tree portfast edge trunk
!
interface FastEthernet0
 no ip address
 no ip route-cache
 no ip mroute-cache
 shutdown
!
interface GigabitEthernet1/0/1
 description CAPQMTL01260101 PORT 1
 switchport trunk allowed vlan 1,10,100,200,225
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 description CAPQMTL01230101 PORT 1
 switchport trunk allowed vlan 1,10,100,150,200
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast edge trunk
 lacp rate fast
 channel-group 2 mode active
!
interface GigabitEthernet1/0/3
 description CAPQMTL01260101 PORT 2
 switchport trunk allowed vlan 1,10,100,200,225,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
 spanning-tree portfast edge trunk
 lacp rate fast
 channel-group 1 mode active
!
interface GigabitEthernet1/0/4
 description CAPQMTL01230101 PORT 2
 switchport trunk allowed vlan 1,10,100,150,200
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk
 spanning-tree portfast edge trunk
 lacp rate fast
 channel-group 2 mode active
!
interface GigabitEthernet1/0/5
 description CAPQMTL01260101 PORT 3
 switchport trunk allowed vlan 1,10,100,200,225,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
 spanning-tree portfast edge trunk
 lacp rate fast
 channel-group 1 mode active
!
interface GigabitEthernet1/0/6
 description "Dell T5810 Port 3 - ISCSI Network 1"
 switchport trunk allowed vlan 240,241
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 240
 switchport mode trunk
!
interface GigabitEthernet1/0/7
 description CAPQMTL01260101 PORT 4
 switchport trunk allowed vlan 1,10,100,200,225,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
 spanning-tree portfast edge trunk
 lacp rate fast
 channel-group 1 mode active
!
interface GigabitEthernet1/0/8
 description "Dell T5810 Port 4 - ISCSI Network 2"
 switchport trunk allowed vlan 240,241
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 241
 switchport mode trunk
!
interface GigabitEthernet1/0/9
 description CAPQMTL01260101 PORT 2
 switchport trunk allowed vlan 1,10,100,200,225,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
 spanning-tree portfast edge trunk
 lacp rate fast
 channel-group 3 mode active
!
interface GigabitEthernet1/0/10
 description CAPQMTL01260101 PORT 2
 switchport trunk allowed vlan 1,10,100,200,225,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
 spanning-tree portfast edge trunk
 lacp rate fast
 channel-group 3 mode active
!
interface GigabitEthernet1/0/11
 description CAPQMTL01260101 PORT 2
 switchport trunk allowed vlan 1,10,100,200,225,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
 spanning-tree portfast edge trunk
 lacp rate fast
 channel-group 3 mode active
!
interface GigabitEthernet1/0/12
 description CAPQMTL01260101 PORT 2
 switchport trunk allowed vlan 1,10,100,200,225,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 200
 switchport mode trunk
 spanning-tree portfast edge trunk
 lacp rate fast
 channel-group 3 mode active
!
interface GigabitEthernet1/0/13
 description "ASUS Backup Port 1"
 switchport trunk allowed vlan 1,10,100,150,200,254
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 150
 switchport mode trunk
 spanning-tree portfast edge trunk
!
interface GigabitEthernet1/0/14
 description "ASUS BACKUP - ISCSI Network 1"
 switchport trunk allowed vlan 240,241
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 240
 switchport mode trunk
!
interface GigabitEthernet1/0/15
 description "ASUS Backup Port 2"
 switchport trunk allowed vlan 1,10,100,150,200,254
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 150
 switchport mode trunk
 spanning-tree portfast edge trunk
!
interface GigabitEthernet1/0/16
 description "ASUS BACKUP - ISCSI Network 2"
 switchport trunk allowed vlan 240,241
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 241
 switchport mode trunk
!
interface GigabitEthernet1/0/17
 shutdown
!
interface GigabitEthernet1/0/18
 shutdown
!
interface GigabitEthernet1/0/19
 shutdown
!
interface GigabitEthernet1/0/20
 shutdown
!
interface GigabitEthernet1/0/21
 switchport access vlan 10
 switchport trunk native vlan 10
!
interface GigabitEthernet1/0/22
 switchport trunk allowed vlan 1,2,10,100,200,254,255
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 254
 switchport mode trunk
!
interface GigabitEthernet1/0/23
 switchport trunk allowed vlan 10,100,200,254
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 254
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 switchport access vlan 255
 switchport trunk native vlan 255
!
interface GigabitEthernet1/1/1
 shutdown
!
interface GigabitEthernet1/1/2
 shutdown
!
interface GigabitEthernet1/1/3
 shutdown
!
interface GigabitEthernet1/1/4
 shutdown
!
interface TenGigabitEthernet1/1/1
 shutdown
!
interface TenGigabitEthernet1/1/2
 shutdown
!
interface Vlan1
 ip address 10.1.1.254 255.255.255.0
!
interface Vlan10
 ip address 10.1.10.254 255.255.255.0
 ip helper-address 10.1.10.10
 ip helper-address 10.1.10.12
 ip ospf 1 area 0
 ip ospf cost 1
!
interface Vlan100
 ip address 10.1.100.254 255.255.255.0
 ip access-group 101 in
 ip helper-address 10.1.100.11
 ip helper-address 10.1.100.12
!
interface Vlan150
 description "Backups"
 ip address 10.1.150.254 255.255.255.0
!
interface Vlan198
 ip address 192.168.254.254 255.255.255.0
!
interface Vlan200
 ip address 10.1.200.254 255.255.255.0
 ip helper-address 10.1.100.11
 ip helper-address 10.1.100.12
!
interface Vlan225
 description "DMZ-225"
 ip address 10.1.225.254 255.255.255.0
 ip access-group dmz_in in
 ip access-group dmz_out out
!
interface Vlan240
 description "ISCSI Network 1"
 no ip address
!
interface Vlan241
 description "ISCSI Network 2"
 no ip address
!
interface Vlan254
 ip address 10.1.254.253 255.255.255.0
!
interface Vlan255
 ip address 10.1.255.250 255.255.255.0
!
router ospf 1
 router-id 1.1.1.1
 redistribute connected subnets
 redistribute static metric-type 1 subnets
 network 10.1.10.0 0.0.0.255 area 0
!
ip default-gateway 10.1.10.254
ip forward-protocol nd
!
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.254.254
ip route 10.0.0.0 255.255.255.0 10.1.254.254
ip route 10.1.253.0 255.255.255.0 10.1.254.254
ip route 10.2.10.0 255.255.255.0 10.1.254.254
ip route 10.2.100.0 255.255.255.0 10.1.254.254
ip route 10.2.254.0 255.255.255.0 10.1.254.254
ip route 10.3.0.0 255.255.255.0 10.1.254.254
ip route 10.9.0.0 255.255.255.0 10.1.254.254
ip route 10.10.0.0 255.255.0.0 10.1.254.254
ip route 10.11.0.0 255.255.255.0 10.1.254.254
ip ssh time-out 60
ip ssh authentication-retries 5
!
ip access-list extended dmz_in
permit tcp host 10.1.100.200 host 10.1.225.200 eq www log
permit tcp host 10.1.100.200 host 10.1.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.1.225.200 eq www log
permit tcp host 10.2.10.200 host 10.1.225.200 eq 443 log
permit tcp any host 10.1.225.200 eq 587 log
permit tcp any host 10.1.225.200 eq smtp log
permit tcp any host 10.1.225.200 eq 465 log
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq www log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq www log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
deny ip any any log
ip access-list extended dmz_out
permit tcp host 10.1.100.200 host 10.1.225.200 eq www log
permit tcp host 10.1.100.200 host 10.1.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.1.225.200 eq www log
permit tcp host 10.2.10.200 host 10.1.225.200 eq 443 log
permit tcp host 10.1.225.200 host 10.1.100.200 eq 587 log
permit tcp host 10.1.225.200 host 10.1.100.200 eq smtp log
permit tcp host 10.1.225.200 host 10.1.100.200 eq 465 log
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq www log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq www log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
deny ip any any log
!

Re: DMZ Access List

SamiSheikh70964 — Tue, 30 Mar 2021 12:53:12 GMT

Bump!

topic Re: DMZ Access List in Network Security

DMZ Access List

Re: DMZ Access List

Re: DMZ Access List

Re: DMZ Access List