cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

298
Views
0
Helpful
2
Replies
Highlighted
Beginner

Unsure how to setup this ACL.

Hi,

 

I'm working on an assignment, and I can't seem to figure out this ACL part.

 

I have two servers

 

Web: 192.168.90.2 

FTP: 192.168.90.3

Subnet Mask: 255.255.255.248

 

They are placed in a DMZ, the web server should only be accessible over HTTPS from the Internet, and the FTP-server only from the local network. 

 

Some pointers would be great, thanks!

2 REPLIES 2
Highlighted
VIP Advisor

Re: Unsure how to setup this ACL.

Hi there,

Making the assumptions that your internal network subnet is 10.0.0.0/8 and that your DMZ is routed on VLAN10 (change these as required) the following will have the desired effect:

!
ip access-list extended VLAN10_ACL
  deny ip 10.0.0.0 0.255.255.255 host 192.168.90.2
  permit tcp any host 192.168.90.2 eq 443
  permit tcp 10.0.0.0 0.255.255.255 host 192.168.90.3 eq ftp
  permit tcp 10.0.0.0 0.255.255.255 host 192.168.90.3 eq ftp-data
  deny ip any any
!
int vlan10
  ip address 192.168.90.6 255.255.255.248
  ip access-group VLAN10_ACL out
!

Ideally you would want to block traffic as soon as it enters your security device, so in your case on the OUTSIDE and INSIDE interfaces, this would require two separate ACLs which would be configured using access-groups on the respective interfaces using the inward direction.

Since we are blocking on the DMZ interface we must block in the outward direction.

It is also worth mentioning that in the real world you would need PAT configured on the OUTSIDE interface to translate incoming internet traffic to the privately addressed DMZ addresses.

 

cheers,

Seb.

 

 

Highlighted

Re: Unsure how to setup this ACL.

 

Based on your requirements;


- let's say you have 3 networks namely: DMZ (192.168.90.0/29), LOCAL (10.0.0.0/24) and OUTSIDE (213.132.44.224/29).
- only inbound connectivity from OUTSIDE and LOCAL to DMZ FTP and Web servers required.
- Your DMZ Web server requires a Public IP to be accessible from the Internet. Public IP assigned is 213.132.44.227 which is on OUTSIDE interface.

 /*block outbound traffic, implicit deny*/
access-list acl-DMZ line 1 extended deny any any
/*allow access to web server over internet*/
access-list acl-OUTSIDE line 1 extended permit tcp any host 213.132.44.227 https 
!
/*allow Local Network access to FTP*/
access-list acl-LOCAL line 1 extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.90.3 eq ftp
access-list acl-LOCAL line 2 extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.90.3 eq ftp-data
! interface Vlan69 nameif DMZ ip address 192.168.90.1 255.255.255.248
! interface Vlan100 nameif LOCAL ip address 10.0.0.1 255.255.255.0 ! interface Vlan11 nameif OUTSIDE ip address 213.132.44.225 255.255.255.248 ! access-group acl-DMZ in interface DMZ access-group acl-OUTSIDE in interface OUTSIDE access-group acl-LOCAL in interface LOCAL ! /*NAT Rules between DMZ,OUTSIDE,LOCAL*/ static (DMZ,OUTSIDE) tcp 213.132.44.227 https 192.168.90.2 https netmask 255.255.255.255 static (LOCAL,DMZ) 192.168.90.3 192.168.90.3 netmask 255.255.255.255

 

CreatePlease to create content
Content for Community-Ad