07-17-2012 02:06 AM - edited 03-11-2019 04:31 PM
Hi All,
I just need to clarify a few simple rule to clear my doubts off.
Apparently i have a outside, inside and DMZ interface.
dmz-server = 172.16.10.10
inside-server = 192.168.1.254'
I just need 2 simple rule.
1. DMZ-server to access inside-server IP only, and deny anything else Inside
2. DMZ-Server to access internet
1. access-list dmz_access_in line 1 extended permit ip object DMZ-Server object INSIDE-SERVER
2. access-list dmz_access_in line 2 extended permit ip object DMZ-Server any
My objective is for DMZ-server to access to only 192.168.1.254, deny to all other inside IP.
Is my above ACL correct? To me, the above 2. ACL seems like overwriting the above rule.
Or am i missing out a DENY rule? if so which order should they be
Please advise.
Solved! Go to Solution.
07-17-2012 02:37 AM
Hi,
Simply configure the following ACL
1. access-list dmz_access_in line 1 extended permit ip object DMZ-Server object INSIDE-SERVER
2. access-list dmz_access_in line 2 extended deny ip object DMZ-Server 192.168.1.0 255.255.255.0
3. access-list dmz_access_in line 3 extended permit ip object DMZ-Server any
Assuming the INSIDE network is 192.168.1.0/24
This will basically do the following
- Allow traffic from the DMZ server to the INSIDE Server
- Block all other traffic from the DMZ -server to the INSIDE network
- Permit all the rest of the traffic from DMZ-server to any other network (for example to all public IP addresses and other LAN networks if you have any)
- Jouni
07-17-2012 02:37 AM
Hi,
Simply configure the following ACL
1. access-list dmz_access_in line 1 extended permit ip object DMZ-Server object INSIDE-SERVER
2. access-list dmz_access_in line 2 extended deny ip object DMZ-Server 192.168.1.0 255.255.255.0
3. access-list dmz_access_in line 3 extended permit ip object DMZ-Server any
Assuming the INSIDE network is 192.168.1.0/24
This will basically do the following
- Allow traffic from the DMZ server to the INSIDE Server
- Block all other traffic from the DMZ -server to the INSIDE network
- Permit all the rest of the traffic from DMZ-server to any other network (for example to all public IP addresses and other LAN networks if you have any)
- Jouni
07-17-2012 02:39 AM
Thank u very much.!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide