Access-List DMZ 1

[ralwyn]

Questions that I have is how to create an Access-list that would deny access from ethernet 1 to ethernet 0.

Ethernet 0 is my local LAN 192.168.1.0
Ethernet 1 is my DMZ 172.16.1.0

Ethernet 0 would have full access to the ethernet 1 DMZ
Ethernet 1 would not have access to Ethernet 0

I have tried and create and acces-list:

access-list 102 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

ethernet 0
ip access group 102

but i can still map a drive from 172.16.1.0? What am I missing. PLEASE HELP!

See my configs below:

-Thank you all in advance,
ralwyn


=======================================
interface Ethernet0
description connected to Internal LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip inspect Ethernet_0 in
no ip route-cache
!
interface Ethernet1
description connected to TS and FTP servers
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip inspect Ethernet_0 in
no ip route-cache
!
interface Serial0
description connected to Internet
ip address 66.16.186.27 255.255.255.0
ip access-group 101 in
ip nat outside
ip inspect Serial_0 in
encapsulation frame-relay IETF
service-module t1 remote-alarm-enable
frame-relay map ip 66.16.186.1 16
frame-relay lmi-type ansi
!
ip nat translation timeout 6000
ip nat pool Cisco1605-natpool-2 66.16.184.10 66.16.184.30 netmask 255.255.255.22
4
ip nat inside source list 1 pool Cisco1605-natpool-2 overload
ip nat inside source static 192.168.1.1 65.16.184.5
ip nat inside source static 172.16.1.11 65.16.184.3
ip nat inside source static 172.16.1.10 65.16.184.2
ip nat inside source static 192.168.1.3 65.16.184.1
ip nat inside source static 172.16.1.12 65.16.184.4
ip nat inside source static 192.168.1.4 65.16.184.6
ip classless
ip route 0.0.0.0 0.0.0.0 66.16.186.1
no ip http server
!
logging 192.168.1.3
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit tcp host 205.109.133.1 any
access-list 101 permit icmp any any
access-list 101 deny ip host 66.16.184.65 any log-input
access-list 101 permit tcp any host 66.16.184.1 eq www
access-list 101 permit tcp any host 66.16.184.1 eq pop3
access-list 101 permit tcp any host 66.16.184.1 eq smtp
access-list 101 permit tcp any host 66.16.184.1 eq 135
access-list 101 permit tcp any host 66.16.184.1 eq 1000
access-list 101 permit tcp any host 66.16.184.1 eq 1001
access-list 101 deny ip host 66.16.184.2 any log-input
access-list 101 permit tcp any host 66.16.184.2 eq www
access-list 101 permit tcp any host 66.16.184.2 eq 3389
access-list 101 permit tcp any host 66.16.184.2 eq ftp
access-list 101 deny ip host 66.16.184.3 any log-input
access-list 101 permit tcp any host 66.16.184.3 eq www
access-list 101 permit tcp any host 66.16.184.3 eq ftp
access-list 101 permit tcp any host 66.16.184.4 eq www
access-list 101 permit tcp any host 66.16.184.4 eq pop3
access-list 101 permit tcp any host 66.16.184.4 eq smtp
access-list 101 permit tcp any host 66.16.184.4 eq 135
access-list 101 permit tcp any host 66.16.184.4 eq 1000
access-list 101 permit tcp any host 66.16.184.4 eq 1001
access-list 101 permit tcp any host 66.16.184.1 eq 5900
access-list 101 permit tcp any host 66.16.184.5 eq 5900
access-list 101 permit tcp any host 66.16.184.6 eq 3389
access-list 101 permit tcp any host 66.16.184.6 eq www
access-list 101 permit tcp any host 66.16.184.6 eq smtp
access-list 101 permit tcp any host 66.16.184.6 eq 5900
access-list 101 permit tcp any host 66.16.184.6 eq ftp

 

[PeterHurst]

I assume you meant ip access group 102 in (??) that inspects traffic into eth0.

Try access-list 102 deny ip any 172.16.1.0 0.0.0.255

Should stop traffic to eth1

 

[routerman]

Ralwyn,

This is a CBAC application. To allow users on E0 to make connections to E1, but to deny E1 users making connections to E0:

Ip inspect name RULE1 TCP
ip inspect name RULE2 UDP

int e0
ip inspect RULE1 in

int e1
ip access-group 110 in

access-list 110 deny ip any any

The way this works:
the CBAC inspects TCP and UDP traffic, defined in the first 2 lines.
Applying this rule to e0, inspects all TCP and UDP traffic into E0. The access list on E1 is dynamically modified by CBAC to permit any return traffic for sessions generated on E0.

The idea with the E1 ACL is to specify what traffic needs constant access into that port, then the CBAC will poke additional holes into the list to allow the return traffic to E0.

However you also have the connection via S0 to the Internet, how much access between E0/E1 to S0 do you need?

 

[ralwyn]

The only access between E0/E1 to S0 is the internet. I just don't want E1 talking back to E0.

I will try your solution and let you know.

Thanks so much for your time and answering my problem.

-Ralwyn

 

[routerman]

Ok, In that case I would think you will need to remove the IP inspect command from the serial port S0.
Then CBAC should open up holes in the existing ACL 101 on S0 as well.

 

[ralwyn]

Yes, I will remove the ip inspect from s0. Thanks so much for the help. Working the way we wanted to work. Thanks again.

Ralwyn