Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
2
Replies

Unsure how to setup this ACL.

Saithrr
Level 1
Level 1

‎04-09-2018 02:38 PM - edited ‎03-01-2019 06:30 PM

Hi,

 

I'm working on an assignment, and I can't seem to figure out this ACL part.

 

I have two servers

 

Web: 192.168.90.2 

FTP: 192.168.90.3

Subnet Mask: 255.255.255.248

 

They are placed in a DMZ, the web server should only be accessible over HTTPS from the Internet, and the FTP-server only from the local network. 

 

Some pointers would be great, thanks!

Labels:
0 Helpful
2 Replies 2

Seb Rupik
VIP Alumni
VIP Alumni

‎04-10-2018 12:31 AM

Hi there,

Making the assumptions that your internal network subnet is 10.0.0.0/8 and that your DMZ is routed on VLAN10 (change these as required) the following will have the desired effect:

!
ip access-list extended VLAN10_ACL
  deny ip 10.0.0.0 0.255.255.255 host 192.168.90.2
  permit tcp any host 192.168.90.2 eq 443
  permit tcp 10.0.0.0 0.255.255.255 host 192.168.90.3 eq ftp
  permit tcp 10.0.0.0 0.255.255.255 host 192.168.90.3 eq ftp-data
  deny ip any any
!
int vlan10
  ip address 192.168.90.6 255.255.255.248
  ip access-group VLAN10_ACL out
!

Ideally you would want to block traffic as soon as it enters your security device, so in your case on the OUTSIDE and INSIDE interfaces, this would require two separate ACLs which would be configured using access-groups on the respective interfaces using the inward direction.

Since we are blocking on the DMZ interface we must block in the outward direction.

It is also worth mentioning that in the real world you would need PAT configured on the OUTSIDE interface to translate incoming internet traffic to the privately addressed DMZ addresses.

 

cheers,

Seb.

 

 

0 Helpful

Jean-Pierre de Villeres
Level 1
Level 1

‎04-11-2018 08:23 AM - edited ‎04-11-2018 08:28 AM

 

Based on your requirements;


- let's say you have 3 networks namely: DMZ (192.168.90.0/29), LOCAL (10.0.0.0/24) and OUTSIDE (213.132.44.224/29).
- only inbound connectivity from OUTSIDE and LOCAL to DMZ FTP and Web servers required.
- Your DMZ Web server requires a Public IP to be accessible from the Internet. Public IP assigned is 213.132.44.227 which is on OUTSIDE interface.

 /*block outbound traffic, implicit deny*/
access-list acl-DMZ line 1 extended deny any any
/*allow access to web server over internet*/
access-list acl-OUTSIDE line 1 extended permit tcp any host 213.132.44.227 https 
!
/*allow Local Network access to FTP*/
access-list acl-LOCAL line 1 extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.90.3 eq ftp
access-list acl-LOCAL line 2 extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.90.3 eq ftp-data
!
interface Vlan69 
 nameif DMZ
 ip address 192.168.90.1 255.255.255.248
!
interface Vlan100
 nameif LOCAL
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan11
 nameif OUTSIDE
 ip address 213.132.44.225 255.255.255.248 
!
access-group acl-DMZ in interface DMZ
access-group acl-OUTSIDE in interface OUTSIDE
access-group acl-LOCAL in interface LOCAL
!
/*NAT Rules between DMZ,OUTSIDE,LOCAL*/
static (DMZ,OUTSIDE) tcp 213.132.44.227 https 192.168.90.2 https netmask 255.255.255.255 
static (LOCAL,DMZ) 192.168.90.3 192.168.90.3 netmask 255.255.255.255

 

0 Helpful
Customers Also Viewed These Support Documents