Scenario
1. Now, we have some configuration:
- Inside can access to outside (Internet) with NAT.
- DMZ can access to outside (Internet) with NAT.
- However, outside can't access the webserver in DMZ.
2. Therefore, we need to configure several ways of ACLs for outside users to give access to DMZ webserver.
- First, extended ACL
- Second, Public Servers
- Third, Global ACL
---------------------------------------------------
First, extended ACL
following picture show that outside user can access to DMZ webserver (the global address is 12.12.12.7)
Second, Public Servers ACL ( before implementing Public Servers ACL, remove all the ACLs existing )
Public Servers ACL can configure directly NAT and ACL for DMZ webserver.
NAT: 172.16.0.10 -> 12.12.12.7
ACL: permit http any to DMZ webserver
Third, Global ACL ( remove all ACLs existing )
- I have only NAT for a webserver in DMZ : real ip 172.16.0.10 -> global ip 12.12.12.7
- Therefore, I can access from inside to DMZ webserver because security level 100 -> 50, but accessing from outside to DMZ webserver is prohibited because of implicit deny.
- Global ACL is simple. apply all interfaces as a source interface.
As you can see, the interface is '--Any--.'
When you apply that global ACL, implicit deny rules in extended ACLs will be removed, and the implicit deny will move to global ACL, which means the implicit deny will be placed to the end of global ACL.
The sequence of checking ACLs is that first, check the extended ACL, if it doesn't match, the global ACL will work, it nothing is matched, the traffic will denied because of the inplicit deny at the end of the global ACL.
This following picture will show that first place is extended ACL, and second line is global ACL.
First ACL is for an example that shows SMTP will be permitted,
second global ACL shows that http traffic will be permitted to DMZ webserver.
at the end, if none of ACL matches to ACL, the traffic will be denied because of implicit deny at the end of global ACL.
No comments:
Post a Comment