03-29-2007 03:28 AM - edited 03-03-2019 04:21 PM
Hello.
I have below case:
interface FastEthernet0/0
description INTRANET
ip address 10.20.28.1 255.255.252.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0.3 point-to-point
dexcription INTERNET
ip address <real_ip> 255.255.255.192
ip nat outside
frame-relay interface-dlci 404
!
interface FastEthernet0/1
description DMZ
ip address real 255.255.255.192
duplex auto
speed auto
!
I want:
to allow only telnet from INTERNET to DMZ.
to allow ALL traffic from DMZ and INTRANET to INTERNET.
Pleas, help me with ACL rules...
Solved! Go to Solution.
03-30-2007 02:59 AM
Hello Max,
After such a long work I would like to know have your problem resolved, or uptill were you r to mark, so that I can try to help it out.
Rgds,
Jitesh
03-29-2007 05:31 AM
i think (i just a started with my ccna)
access-list 101 permit tcp 0.0.0.0 255.255.255.255 your.?.ser.ver 0.0.0.0 eq 23
RouterA(config)#ip nat inside source list 1 interface [interface to the internet] overload
RouterA(config)#access-list 1 permit any
03-29-2007 05:36 AM
but on which interface inbound or outbound should i need to apply this...
03-29-2007 05:41 AM
You should put the access-list on the serial interface to allow only the telnet traffic coming inbound to the DMZ from the outside.
03-29-2007 05:43 AM
and the ACL should look something like this:
access-list 101 permit tcp any (DMZ subnet) eq 23
03-29-2007 05:43 AM
You can use an EXTENDED ACL to permit only the telnet traffic and attach it to the outbound direction on the serial interface.
config t
access-list 101 permit tcp
inet s 0/0.3
ip access-group 101 in
This should help you.
-amit singh
03-29-2007 05:59 AM
Hi Amit
This might create some problems. If you apply this inbound on the serial interface you have in fact denied all other traffic other than telnet to the DMZ. This is probably not what is intended.
What might be a better solution is to apply your access-list on the DMZ interface in an outbound direction which would not interfere with the main traffic flow.
That is why i asked whether the poster wanted the intranet clients to be able to talk to the DMZ servers.
HTH
Jon
03-29-2007 06:02 AM
We can speculate on what he wanted , but the solution was given to the question that he asked. If anyone is asking a question that might have production impact, I would hope they would state that in the question.
03-29-2007 06:08 AM
Hi
I wasn't speculating on what he wanted and the answer given was not a solution to his problem.
The second part of the problem states that he wants to allow all traffic from the DMZ and the intranet out to the internet.
Now if you apply the access-list given on the serial interface in an inbound direction that would block ANY return traffic from the internet. The access-list is not stateful.
HTH
Jon
03-29-2007 06:12 AM
It is speculation until Amit can reply with his exact requirements.
03-29-2007 06:20 AM
Hi
The post is not about Amit's requirements. Amit and yourself supplied an answer that did not meet the requirements of the original poster. There is some confusion over Amit's answer in that he talks about applying the acl outbound but the config shows it being applied inbound.
I have posted incorrect or misleading posts before and am the first to accept if i have made a mistake. The issue is really to make sure the user doesn't do something that breaks his network.
So i still can't see how it is speculation. The requirements are quite plain.
Jon
03-29-2007 06:24 AM
My bad, I meant the requirements of the original poster, not Amit. I admit that the answer given won't solve his entire requirement but I think more info is needed. I only read part of the message before I replied. I guess I've been away from the lab too long.
03-29-2007 06:30 AM
And i just got out of a very long boring and most importantly non-technical meeting so i wasn't in the best frame of mind.
Apologies if i came on a bit strong. No offense intended.
Jon
03-29-2007 05:46 AM
Hi
Do you want to allow anybody from your intranet to access the DMZ servers or do you just want people on the internet to have access to DMZ with telnet ?
This makes a difference in the access-list
Jon
03-29-2007 06:23 AM
Thanks everyone. Let me clarify.
Telnet was just example. In fact I need that:
1) ALL traffic from INTRANET to DMZ and INTERNET
2) ALL traffic from DMZ to INTERNET
3) SNMP and SNMPTRAPS from DMZ to INTRANET
4) ECHO, FTP, SSH, SMTP, DNS, TFTP, HTTP, POP3, NNTP, NTP, SNMP, SNMPTRAPS, HTTPS, SECURE POP3 from INTERNET to DMZ
and i want to use the next ACL (correct me if I wrong):
!
interface serial 0/0.3
ip access-group 120 in
!
access-list 120 permit tcp any any eq echo
access-list 120 permit udp any any eq echo
access-list 120 permit tcp any any eq ftp
access-list 120 permit tcp any any eq ftp-data established
access-list 120 permit tcp any any eq 22
access-list 120 permit tcp any any eq smtp
access-list 120 permit tcp any any eq domain
access-list 120 permit udp any any eq domain
access-list 120 permit udp any any eq tftp
access-list 120 permit tcp any any eq www
access-list 120 permit tcp any any eq pop3
access-list 120 permit tcp any any eq nntp
access-list 120 permit tcp any any eq 123
access-list 120 permit udp any any eq snmp
access-list 120 permit udp any any eq snmptrap
access-list 120 permit udp any any eq ntp
access-list 120 permit tcp any any eq 443
access-list 120 permit tcp any any eq 995
access-list 120 permit tcp any any eq telnet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide