I'm working on an assignment, and I can't seem to figure out this ACL part.
I have two servers
Subnet Mask: 255.255.255.248
They are placed in a DMZ, the web server should only be accessible over HTTPS from the Internet, and the FTP-server only from the local network.
Some pointers would be great, thanks!
Making the assumptions that your internal network subnet is 10.0.0.0/8 and that your DMZ is routed on VLAN10 (change these as required) the following will have the desired effect:
! ip access-list extended VLAN10_ACL deny ip 10.0.0.0 0.255.255.255 host 192.168.90.2 permit tcp any host 192.168.90.2 eq 443 permit tcp 10.0.0.0 0.255.255.255 host 192.168.90.3 eq ftp permit tcp 10.0.0.0 0.255.255.255 host 192.168.90.3 eq ftp-data deny ip any any ! int vlan10 ip address 192.168.90.6 255.255.255.248 ip access-group VLAN10_ACL out !
Ideally you would want to block traffic as soon as it enters your security device, so in your case on the OUTSIDE and INSIDE interfaces, this would require two separate ACLs which would be configured using access-groups on the respective interfaces using the inward direction.
Since we are blocking on the DMZ interface we must block in the outward direction.
It is also worth mentioning that in the real world you would need PAT configured on the OUTSIDE interface to translate incoming internet traffic to the privately addressed DMZ addresses.
Based on your requirements;
- let's say you have 3 networks namely: DMZ (192.168.90.0/29), LOCAL (10.0.0.0/24) and OUTSIDE (22.214.171.124/29).
- only inbound connectivity from OUTSIDE and LOCAL to DMZ FTP and Web servers required.
- Your DMZ Web server requires a Public IP to be accessible from the Internet. Public IP assigned is 126.96.36.199 which is on OUTSIDE interface.
/*block outbound traffic, implicit deny*/ access-list acl-DMZ line 1 extended deny any any /*allow access to web server over internet*/ access-list acl-OUTSIDE line 1 extended permit tcp any host 188.8.131.52 https ! /*allow Local Network access to FTP*/ access-list acl-LOCAL line 1 extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.90.3 eq ftp access-list acl-LOCAL line 2 extended permit tcp 10.0.0.0 255.255.255.0 host 192.168.90.3 eq ftp-data
! interface Vlan69 nameif DMZ ip address 192.168.90.1 255.255.255.248
! interface Vlan100 nameif LOCAL ip address 10.0.0.1 255.255.255.0 ! interface Vlan11 nameif OUTSIDE ip address 184.108.40.206 255.255.255.248 ! access-group acl-DMZ in interface DMZ access-group acl-OUTSIDE in interface OUTSIDE access-group acl-LOCAL in interface LOCAL ! /*NAT Rules between DMZ,OUTSIDE,LOCAL*/ static (DMZ,OUTSIDE) tcp 220.127.116.11 https 192.168.90.2 https netmask 255.255.255.255 static (LOCAL,DMZ) 192.168.90.3 192.168.90.3 netmask 255.255.255.255