ACL Config WAN to DMZ and DMZ to WAN

9K · ‎04-06-2022

Hi there

I am new in networking and at this moment i am making an excercise (VLAN, Static route, DHCP, ... and ACL). Everything works fine but not the ACL

I have a DMZ with a webserver that is connected with an edge router where I need to configure an ACL to allow DNS, HTTP and HTTPs from outside to my DMZ. But none of my configs are working.

WAN to DMZ

access-list 100 deny ip any any

access-list 100 permit tcp host 10.19.40.10 10.19.16.0 0.0.0.255 eq www

access-list 100 permit tcp host 10.19.40.10 10.19.16.0 0.0.0.255 eq 443

access-list 100 permit tcp host 10.19.40.10 10.19.16.0 0.0.0.255 eq domain

DMZ to WAN

access-list 101 deny ip any any

access-list 101 permit tcp 10.19.16.0 0.0.0.255 host 10.19.40.10 eq 443

access-list 101 permit tcp 10.19.16.0 0.0.0.255 host 10.19.40.10 eq www

access-list 101 permit tcp 10.19.16.0 0.0.0.255 host 10.19.40.10 eq domain

Config DMZ interface

interface GigabitEthernet0/0/1.116

encapsulation dot1Q 116

ip address 10.19.16.254 255.255.255.0

ip access-group 100 in

ip access-group 101 out

ip nat inside

Can someone guide me to the right direction?

Kind Regards

Jon Marshall · ‎04-06-2022

Firstly you can't have the deny ip any any line first in the acl as that will block everything so you need to move it to end of the acl because acls are processed in order.

Secondly acl 100 is fine but what is acl 101 meant to be doing ?

If it is for return traffic then you don't need it but if you want to then you need to change the acl ie.

access-list 101 permit tcp 10.19.16.0 0.0.0.255 eq 443 host 10.19.40.10
access-list 101 permit tcp 10.19.16.0 0.0.0.255 eq www host 10.19.40.10
access-list 101 permit tcp 10.19.16.0 0.0.0.255 eq domain host 10.19.40.10
access-list 101 deny ip any any

because for the return traffic it is the source port and not the destination, unless of course the host 10.19.40.10 is running those services as well but I don't think it is.

Jon

9K · ‎04-06-2022

Hi Jon

Thank you for the quick reply.

101 is indeed for returning traffic, that is because I thought it was necessary to configure this. So that it would be possible to access my webserver.

I'll take a look at my configuration.

M.

David Ruess · ‎04-06-2022

Hello,

In addition to what Jon said I also believe you can only have 1 ACL applied per interface per direction. So you cannot have both ACLs on the same interface and one in and one out as you have shown above.

Jon Marshall · ‎04-06-2022

Hi David

As far as I know the rule is one acl per direction so you could not have two inbound acls on the same interface for example, but you have can have an inbound acl and an outbound applied to the same interface.

Jon

David Ruess · ‎04-06-2022

Jon,

Thank you for clarifying. This is one of those things where I've been learning and as you get higher in your studies you find little nuances about technologies you remember that you've learned the whole time and then the instructor goes "actually it's this way" and a lot of people have misunderstood it. Basically the Mandela effect.

I appreciate the correction.

MHM Cisco World · ‎04-07-2022

there is NAT and ACL so you must be carful when use Real IP and when use Mapped IP.

Ingress
ACL
NAT

Egress
NAT
ACL

9K · ‎04-12-2022

Thank you for the replies.

I'll take a look at the feedback has been given.

I was just thinking: There is no need to configure an ACL on my NAT IP? It has to been done to my internal where my webhost is?

For ex: permit tcp any (WAN) 83.0.19.0 (NAT overload) 0.0.0.7 eq 80

Kind regards

MHM Cisco World · ‎04-13-2022

You get idea here.