Solved: Re: ACL question - Page 2

NetMaxKar · ‎03-29-2007

Hello.

I have below case:

interface FastEthernet0/0

description INTRANET

ip address 10.20.28.1 255.255.252.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0.3 point-to-point

dexcription INTERNET

ip address <real_ip> 255.255.255.192

ip nat outside

frame-relay interface-dlci 404

!

interface FastEthernet0/1

description DMZ

ip address real 255.255.255.192

duplex auto

speed auto

!

I want:

to allow only telnet from INTERNET to DMZ.

to allow ALL traffic from DMZ and INTRANET to INTERNET.

Pleas, help me with ACL rules...

Jon Marshall · ‎03-29-2007

Hi

To control DMZ to intranet traffic use this access-list

access-list 101 permit udp "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255 eq snmp

access-list 101 permit udp "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255 eq snmptrap

access-list 101 permit deny ip "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255

access-list 101 permit ip "DMZ Subnet" 0.0.0.63 any

apply it on the DMZ interface in an inbound direction.

interface fa0/1

ip access-group 101 in

To allow the other traffic use an acl for the serial interface and apply it in an inbound direction.

What you need to do is this

access-list 102 permit tcp any "DMZ Subnet" 0.0.0.63 eq ssh

access-list 102 permit tcp any "DMZ Subnet" 0.0.0.63 eq smtp

etc... add lines for all the traffic from the Internet to your DMZ servers.

access-list 102 deny ip any "DMZ Subnet" 0.0.0.63 # deny any other traffic to the DMZ servers

access-list 102 permit ip any any # allow all other return traffic

interface s0/0.3

ip access-group 102 in

the only other issue is echo. if you really want to allow ping from any internet machine to your DMZ servers

it is not

access-list 120 permit tcp any any eq echo

access-list 120 permit udp any any eq echo

it is

access-list 102 permit icmp any "DMZ Subnet" 0.0.0.63 echo

This is not a particularly good thing to do. It allows people on the Internet to work out which machines you

have on public addressing.

Last point. The access-list 102 allows ftp, ssh etc. to all the servers in the DMZ. Presumably you don't have all

services running on all servers ie. say smtp was running on only one server. instead of

access-list 102 permit tcp any "DMZ Subnet" 0.0.0.63 eq smtp

a more secure access-list would be

access-list 102 permit tcp any host "SMTP Server ip address" eq smtp

HTH

Jon

Jon Marshall · ‎03-29-2007

Hi

One slight change to the above. if you want any traffic to be allowed from the DMZ to the Internet but only the specified ports from the internet to the DMZ

In our access-list 102 BEFORE the line

access-list 102 deny ip any DMZ Subnet" 0.0.0.63

you need the line

access-list 102 permit tcp any "DMZ Subnet" 0.0.0.63 established

This will allow the DMZ to initiate tcp connections to the Internet.

There is still a problem with non-tcp traffic initiated from the DMZ to the internet.

If there are any other connections that are initiated from the DMZ to the Internet you will need to account for the return traffic in your acl on the outside interface before you deny ip to the DMZ subnet.

The same applies to the intranet to the DMZ traffic.

You need to add to access-list 101 before the line

access-list 101 permit deny ip "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255

access-list 101 permit tcp "DMZ Subnet" 0.0.0.63 10.20.28.0 0.0.3.255 established.

This is why firewalls are quite useful - they are stateful so you don't need to account for return traffic in the same way !.

HTH

Jon

NetMaxKar · ‎03-29-2007

access-list 101 permit deny ip ...

What does it mean permit deny?

Jon Marshall · ‎03-29-2007

Sorry, that would be a typo.

It's meant to be "access-list deny ip...."

Jon

jitesh1982 · ‎03-30-2007

Hello Max,

After such a long work I would like to know have your problem resolved, or uptill were you r to mark, so that I can try to help it out.

Rgds,

Jitesh