Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- Network Security
- DMZ Access List
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
3041
Views
0
Helpful
3
Replies
DMZ Access List
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2021 03:57 PM
Hi,
I am trying to create an ACL for a host in DMZ which can receive emails from the outside, and send emails to one of our exchange servers internally. Also, to have HTTP/HTTPS access to the host from one of our jump boxes.
This is what I used:
ip access-list extended dmz_in
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 80 log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 80 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
exit
ip access-list extended dmz_out
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 80 log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 80 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
exit
interface Vlan225
ip access-group dmz_in in
exit
interface Vlan225
ip access-group dmz_out out
exit
10.1.100.200(Exchange Server)
10.1.225.200(DMZ SMTP host)
10.1.10.200(Jump box)
Basically 10.1.225.200 should be able to receive emails on port 25, 465, and 587 from anywhere on the internet and forward it to 10.1.100.200. However with this ACL, I can't even ping the gateway(10.1.225.254) from (10.1.225.200).
Can you please let me know what I have done wrong here?
Thanks
Labels:
- Labels:
-
Security Management
3 Replies 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2021 01:54 AM
could you share your configuration too.
ip access-list extended dmz_in permit ip any host 10.1.225.254 log permit ip host 10.1.225.254 any log permit tcp host 10.1.100.200 host 10.2.225.200 eq 80 log permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log permit tcp host 10.2.10.200 host 10.2.225.200 eq 80 log permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log exit ! ip access-list extended dmz_out permit ip any host 10.1.225.254 log permit tcp host 10.2.225.200 host 10.1.100.200 eq 80 log permit tcp host 10.2.225.200 host 10.1.100.200 eq 443 log permit tcp host 10.2.225.200 host host 10.2.10.200 eq 80 log permit tcp host 10.2.225.200 host host 10.2.10.200eq 443 log exit ! interface Vlan225 ip access-group dmz_in in exit ! interface Vlan225 ip access-group dmz_out out exit (OR) ip access-list extended dmz_in permit ip any host 10.1.225.254 log permit ip host 10.1.225.254 any log permit tcp host 10.1.100.200 host 10.2.225.200 eq 80 log permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log permit tcp host 10.2.10.200 host 10.2.225.200 eq 80 log permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log exit ! interface Vlan225 ip access-group dmz_in in exit interface Vlan225 no ip access-group dmz_out out exit take out the dmz_out out from the configuration so that you looking at tshooting make easier to pin point where the issue is.
please do not forget to rate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2021 07:59 AM - edited 03-29-2021 08:04 AM
Hi Sheraz,
Here is a copy of the config:
spanning-tree mode rapid-pvst spanning-tree portfast edge default spanning-tree extend system-id spanning-tree backbonefast lacp system-priority 200 port-channel load-balance src-dst-ip ! ! ! ! vlan internal allocation policy ascending ! ! ! ! ! ! ! ! ! ! ! ! interface Port-channel1 description CAPQMTL01260101 QUAD PORT VSPHERE switchport trunk allowed vlan 1,10,100,200,225,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk spanning-tree portfast edge trunk ! interface Port-channel2 description CAPQMTL01230101 DUAL PORT HYPER-V switchport trunk allowed vlan 1,10,100,150,200 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport mode trunk spanning-tree portfast edge trunk ! interface Port-channel3 description "CAPQMTL01260101 SECONDARY QUAD PORT VSPHERE" switchport trunk allowed vlan 1,10,100,200,225,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk spanning-tree portfast edge trunk ! interface Port-channel4 description "ASUS BACKUP QUAD PORT" switchport trunk allowed vlan 1,10,100,150,200,254 switchport trunk encapsulation dot1q switchport trunk native vlan 150 switchport mode trunk spanning-tree portfast edge trunk ! interface FastEthernet0 no ip address no ip route-cache no ip mroute-cache shutdown ! interface GigabitEthernet1/0/1 description CAPQMTL01260101 PORT 1 switchport trunk allowed vlan 1,10,100,200,225 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk ! interface GigabitEthernet1/0/2 description CAPQMTL01230101 PORT 1 switchport trunk allowed vlan 1,10,100,150,200 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport mode trunk spanning-tree portfast edge trunk lacp rate fast channel-group 2 mode active ! interface GigabitEthernet1/0/3 description CAPQMTL01260101 PORT 2 switchport trunk allowed vlan 1,10,100,200,225,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk spanning-tree portfast edge trunk lacp rate fast channel-group 1 mode active ! interface GigabitEthernet1/0/4 description CAPQMTL01230101 PORT 2 switchport trunk allowed vlan 1,10,100,150,200 switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport mode trunk spanning-tree portfast edge trunk lacp rate fast channel-group 2 mode active ! interface GigabitEthernet1/0/5 description CAPQMTL01260101 PORT 3 switchport trunk allowed vlan 1,10,100,200,225,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk spanning-tree portfast edge trunk lacp rate fast channel-group 1 mode active ! interface GigabitEthernet1/0/6 description "Dell T5810 Port 3 - ISCSI Network 1" switchport trunk allowed vlan 240,241 switchport trunk encapsulation dot1q switchport trunk native vlan 240 switchport mode trunk ! interface GigabitEthernet1/0/7 description CAPQMTL01260101 PORT 4 switchport trunk allowed vlan 1,10,100,200,225,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk spanning-tree portfast edge trunk lacp rate fast channel-group 1 mode active ! interface GigabitEthernet1/0/8 description "Dell T5810 Port 4 - ISCSI Network 2" switchport trunk allowed vlan 240,241 switchport trunk encapsulation dot1q switchport trunk native vlan 241 switchport mode trunk ! interface GigabitEthernet1/0/9 description CAPQMTL01260101 PORT 2 switchport trunk allowed vlan 1,10,100,200,225,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk spanning-tree portfast edge trunk lacp rate fast channel-group 3 mode active ! interface GigabitEthernet1/0/10 description CAPQMTL01260101 PORT 2 switchport trunk allowed vlan 1,10,100,200,225,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk spanning-tree portfast edge trunk lacp rate fast channel-group 3 mode active ! interface GigabitEthernet1/0/11 description CAPQMTL01260101 PORT 2 switchport trunk allowed vlan 1,10,100,200,225,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk spanning-tree portfast edge trunk lacp rate fast channel-group 3 mode active ! interface GigabitEthernet1/0/12 description CAPQMTL01260101 PORT 2 switchport trunk allowed vlan 1,10,100,200,225,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 200 switchport mode trunk spanning-tree portfast edge trunk lacp rate fast channel-group 3 mode active ! interface GigabitEthernet1/0/13 description "ASUS Backup Port 1" switchport trunk allowed vlan 1,10,100,150,200,254 switchport trunk encapsulation dot1q switchport trunk native vlan 150 switchport mode trunk spanning-tree portfast edge trunk ! interface GigabitEthernet1/0/14 description "ASUS BACKUP - ISCSI Network 1" switchport trunk allowed vlan 240,241 switchport trunk encapsulation dot1q switchport trunk native vlan 240 switchport mode trunk ! interface GigabitEthernet1/0/15 description "ASUS Backup Port 2" switchport trunk allowed vlan 1,10,100,150,200,254 switchport trunk encapsulation dot1q switchport trunk native vlan 150 switchport mode trunk spanning-tree portfast edge trunk ! interface GigabitEthernet1/0/16 description "ASUS BACKUP - ISCSI Network 2" switchport trunk allowed vlan 240,241 switchport trunk encapsulation dot1q switchport trunk native vlan 241 switchport mode trunk ! interface GigabitEthernet1/0/17 shutdown ! interface GigabitEthernet1/0/18 shutdown ! interface GigabitEthernet1/0/19 shutdown ! interface GigabitEthernet1/0/20 shutdown ! interface GigabitEthernet1/0/21 switchport access vlan 10 switchport trunk native vlan 10 ! interface GigabitEthernet1/0/22 switchport trunk allowed vlan 1,2,10,100,200,254,255 switchport trunk encapsulation dot1q switchport trunk native vlan 254 switchport mode trunk ! interface GigabitEthernet1/0/23 switchport trunk allowed vlan 10,100,200,254 switchport trunk encapsulation dot1q switchport trunk native vlan 254 switchport mode trunk ! interface GigabitEthernet1/0/24 switchport access vlan 255 switchport trunk native vlan 255 ! interface GigabitEthernet1/1/1 shutdown ! interface GigabitEthernet1/1/2 shutdown ! interface GigabitEthernet1/1/3 shutdown ! interface GigabitEthernet1/1/4 shutdown ! interface TenGigabitEthernet1/1/1 shutdown ! interface TenGigabitEthernet1/1/2 shutdown ! interface Vlan1 ip address 10.1.1.254 255.255.255.0 ! interface Vlan10 ip address 10.1.10.254 255.255.255.0 ip helper-address 10.1.10.10 ip helper-address 10.1.10.12 ip ospf 1 area 0 ip ospf cost 1 ! interface Vlan100 ip address 10.1.100.254 255.255.255.0 ip access-group 101 in ip helper-address 10.1.100.11 ip helper-address 10.1.100.12 ! interface Vlan150 description "Backups" ip address 10.1.150.254 255.255.255.0 ! interface Vlan198 ip address 192.168.254.254 255.255.255.0 ! interface Vlan200 ip address 10.1.200.254 255.255.255.0 ip helper-address 10.1.100.11 ip helper-address 10.1.100.12 ! interface Vlan225 description "DMZ-225" ip address 10.1.225.254 255.255.255.0 ip access-group dmz_in in ip access-group dmz_out out ! interface Vlan240 description "ISCSI Network 1" no ip address ! interface Vlan241 description "ISCSI Network 2" no ip address ! interface Vlan254 ip address 10.1.254.253 255.255.255.0 ! interface Vlan255 ip address 10.1.255.250 255.255.255.0 ! router ospf 1 router-id 1.1.1.1 redistribute connected subnets redistribute static metric-type 1 subnets network 10.1.10.0 0.0.0.255 area 0 ! ip default-gateway 10.1.10.254 ip forward-protocol nd ! ip http server ip http secure-server ip route 0.0.0.0 0.0.0.0 10.1.254.254 ip route 10.0.0.0 255.255.255.0 10.1.254.254 ip route 10.1.253.0 255.255.255.0 10.1.254.254 ip route 10.2.10.0 255.255.255.0 10.1.254.254 ip route 10.2.100.0 255.255.255.0 10.1.254.254 ip route 10.2.254.0 255.255.255.0 10.1.254.254 ip route 10.3.0.0 255.255.255.0 10.1.254.254 ip route 10.9.0.0 255.255.255.0 10.1.254.254 ip route 10.10.0.0 255.255.0.0 10.1.254.254 ip route 10.11.0.0 255.255.255.0 10.1.254.254 ip ssh time-out 60 ip ssh authentication-retries 5 ! ip access-list extended dmz_in
permit tcp host 10.1.100.200 host 10.1.225.200 eq www log
permit tcp host 10.1.100.200 host 10.1.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.1.225.200 eq www log
permit tcp host 10.2.10.200 host 10.1.225.200 eq 443 log
permit tcp any host 10.1.225.200 eq 587 log
permit tcp any host 10.1.225.200 eq smtp log
permit tcp any host 10.1.225.200 eq 465 log
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq www log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq www log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
deny ip any any log
ip access-list extended dmz_out
permit tcp host 10.1.100.200 host 10.1.225.200 eq www log
permit tcp host 10.1.100.200 host 10.1.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.1.225.200 eq www log
permit tcp host 10.2.10.200 host 10.1.225.200 eq 443 log
permit tcp host 10.1.225.200 host 10.1.100.200 eq 587 log
permit tcp host 10.1.225.200 host 10.1.100.200 eq smtp log
permit tcp host 10.1.225.200 host 10.1.100.200 eq 465 log
permit ip any host 10.1.225.254 log
permit ip host 10.1.225.254 any log
permit tcp host 10.1.100.200 host 10.2.225.200 eq www log
permit tcp host 10.1.100.200 host 10.2.225.200 eq 443 log
permit tcp host 10.2.10.200 host 10.2.225.200 eq www log
permit tcp host 10.2.10.200 host 10.2.225.200 eq 443 log
deny ip any any log !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2021 05:53 AM
Bump!
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents
