09-09-2009 10:27 PM - edited 03-11-2019 09:14 AM
Three questions:
1. I need to allow internet for inside users say(ports 80,443)which interface i need to apply the acl & has what?
2. I need to access the FTP server in internet from one particular system in inside say(system ip 192.168.100.25 & ftp 216.87.172.x)what will be the acl & which interface we need to apply.
3. let say i have natted one inside system with public IP i have to access this system thru rdp(port 3389) from internet. what is the acl & where we need to apply?
Solved! Go to Solution.
09-10-2009 02:32 AM
based on your original post, and the last posting my acl would look something like:-
access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP
access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS
access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server
access-list inside-out permit udp any any eq 53 - inside DNS
access-list inside-out permit icmp any any - for troubleshooting IP connectivity
access-list inside-out deny ip any any log - log all deny access from inside out.
access-group inside-out in interface inside
I would re-write my original outside acl to
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
access-list outside-inextended permit icmp any any traceroute
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in permit tcp any host <
access-group outside-in in interface outside
HTH>
09-10-2009 01:26 AM
Gandhi,
To answer your questions:-
1) No acl is requried - all traffic is allowed from the inside to the outside by default
2) See 1
3) Your acl would read something like:-
access-list outside-in permit tcp any host <
access-group outside-in in interface outside
HTH>
09-10-2009 02:21 AM
Hi Andrew,
my second question was :
As a security policy we will not allow ftp access to any users to outside only
ondemand we will provide the access.
ex: inside subnet(192.168.100.0/24)
user who needs the access(192.168.100.50)
third party FTP server(216.87.X.X)
how is the ACL should look?
09-10-2009 02:32 AM
based on your original post, and the last posting my acl would look something like:-
access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 80 - inside out HTTP
access-list inside-out permit tcp 192.168.100.0 255.255.255.0 any eq 443 - inside out HTTPS
access-list inside-out permit tcp host 192.168.100.25 host 216.82.172.x eq 21 - specific inside host to external FTP server
access-list inside-out permit udp any any eq 53 - inside DNS
access-list inside-out permit icmp any any - for troubleshooting IP connectivity
access-list inside-out deny ip any any log - log all deny access from inside out.
access-group inside-out in interface inside
I would re-write my original outside acl to
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
access-list outside-inextended permit icmp any any traceroute
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in permit tcp any host <
access-group outside-in in interface outside
HTH>
09-10-2009 02:40 AM
Thx for ur help buddy......
09-10-2009 02:58 AM
sure - np glad to help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide