Re: Router ACL question

Wilson Kwok · ‎02-03-2012

Hello,

I'm testing router ACL on PT, the following is interface description:

s0/1/0 connecting to internet

fa0/0 connectin to local lan (192.168.0.0/24)

fa0/1 connectin to DMZ (192.168.0.0/27)

NAT also enabled for overload with lan and nat with DMZ servers for internet access with public IP.

The question is I want to apply ACL with the following description:

1. Internet can't access to local lan, but can access to DMZ servers.

2. Local lan only can access to internet with 80 port and all DMZ servers.

3. DMZ servers can access to internet, but can't access to local lan.

I tried many times to create ACLs, but no luck, please help.

Thanks !!

Ton V Engelen · ‎02-03-2012

Hi, i think you re looking for something like this:

LAN

ip access-list ext LAN-2-DMZ-INET-IN

permit tcp any any eq www (allow traffic from lan to dmz and inet for www)

ip access-list ext LAN-2-DMZ-INET-OUT

permit ip any 192.168.0.0 0.0.0.255 (allow only traffic back for 192.168.0.0 but no other traffic from dmz or inet)

interface Fa0/0 (apply acl to interface)

ip acces-group LAN-2-DMZ-INET-IN in

ip acces-group LAN-2-DMZ-INET-OUT out

DMZ

ip access-list ext DMZ-2-INET-IN

deny ip any 192.168.0.0 0.0.0.255 (deny dmz traffic to lan)

permit ip any any (allow any other traffic)

ip access-list ext DMZ-2-INET-OUT

permit ip any any (allow any traffic to dmz)

apply to interface

interface Fa0/1

ip access-group DMZ-2-INET-IN in

ip access-group DMZ-2-INET-OUT out

But i see 2 issues:

* I dont understand the overlap 192.168.0.0/24 and 192.168.0.0/27 ? better make it 192.168.1.0/27 or something

** i dont know where the nat overload is performed in the network so had to improvise