https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213548#M347069 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Then we would need to know about your NAT and Routing configurations.</P><P></P><P>It might be that ACL configurations alone wont enable DMZ connectivity.</P><P></P><P>The best situation is usually to give the source/destination networks and the current configuration with masked public IP addresses and sensitive information. Otherwise the discussion might be needlesly complicated. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Thu, 04 Jul 2013 06:19:15 GMT Jouni Forss 2013-07-04T06:19:15Z https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213542#M347053 <P>hi,</P><P>have an below subinterface,</P><P></P><P>interface GigabitEthernet0/2.50</P><P>description *** Connected to DMZ ****</P><P> vlan 50</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address x.x.x.x/27</P><P></P><P>need to allow this subinterface accessible through out network</P> Tue, 12 Mar 2019 02:06:54 GMT https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213542#M347053 anil.sanap 2019-03-12T02:06:54Z https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213543#M347056 <HTML><HEAD></HEAD><BODY><P>Hi Anil.</P><P></P><P>apply an acl saying "any" can access your DMZ ip address on outisde interface.</P><P></P><P></P><P>Regards</P><P>Pankaj </P></BODY></HTML> Thu, 04 Jul 2013 05:00:50 GMT https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213543#M347056 pankaj29in 2013-07-04T05:00:50Z https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213544#M347061 <HTML><HEAD></HEAD><BODY><P>access-list DMZ_access_in extended permit ip X.X.X.X 255.255.255.224 any</P><P>access-list DMZ_access_in extended permit icmp X.X.X.X 255.255.255.224 any </P><P> <SPAN style="font-size: 10pt;"> </SPAN></P><P>access-group DMZ_access_in in interface OUTSIDE-ZONE</P><P></P><P>does this correct one or still need to add anything waiting</P></BODY></HTML> Thu, 04 Jul 2013 05:14:28 GMT https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213544#M347061 anil.sanap 2013-07-04T05:14:28Z https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213545#M347062 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You have to be a bit more specific in your question.</P><P></P><P>We would also need to know the software level possibly.</P><P></P><P>If you want to allow traffic to the DMZ from other local interfaces then you use those interfaces ACL to allow that traffic.</P><P></P><P>If you are talking about allowing traffic to DMZ from other remote network (Internet) then you will have to use the "outside" interfaces ACL to allow this traffic. In addition to this you naturally have to have a NAT configuration for the DMZ servers/hosts so that that they have a public IP address on which they can be accessed.</P><P></P><P>If you simply want to allow traffic from DMZ to anywhere else then you would use</P><P></P><P><STRONG>access-list DMZ_access_in extended permit ip X.X.X.X 255.255.255.224 any</STRONG></P><P><STRONG>access-list DMZ_access_in extended permit icmp X.X.X.X 255.255.255.224 any </STRONG></P><P></P><P><STRONG>access-group DMZ_access_in in interface DMZ</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Thu, 04 Jul 2013 05:32:37 GMT https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213545#M347062 Jouni Forss 2013-07-04T05:32:37Z https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213546#M347065 <HTML><HEAD></HEAD><BODY><P>Hi Anil,</P><P></P><P>yours will also do or you can also apply Jouni ACLs (both will work)</P><P></P><P></P><P>Regards</P><P>Pankaj </P></BODY></HTML> Thu, 04 Jul 2013 05:38:22 GMT https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213546#M347065 pankaj29in 2013-07-04T05:38:22Z https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213547#M347066 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>thanks, thing is do have MPLS connectivity with other branch location</P><P></P><P>for those need to allow DMZ access</P></BODY></HTML> Thu, 04 Jul 2013 05:39:34 GMT https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213547#M347066 anil.sanap 2013-07-04T05:39:34Z https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213548#M347069 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Then we would need to know about your NAT and Routing configurations.</P><P></P><P>It might be that ACL configurations alone wont enable DMZ connectivity.</P><P></P><P>The best situation is usually to give the source/destination networks and the current configuration with masked public IP addresses and sensitive information. Otherwise the discussion might be needlesly complicated. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Thu, 04 Jul 2013 06:19:15 GMT https://community.cisco.com/t5/network-security/access-list-for-dmz/m-p/2213548#M347069 Jouni Forss 2013-07-04T06:19:15Z