Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

nat and access-lists

Status
Not open for further replies.

scarabza

MIS
Oct 27, 2003
7
ZA
greetings,

how do i ACL nat's from a higher sec level to a lower sec level. ie:

ethernet0 - outside
ethernet1 - inside
ethernet2 - dmz

i want to ACL connections from inside to the dmz. i'm also not nat'ing connections from 'inside' ie: nat (inside) 0 0 0

can anyone help me out?
 
the source address is the real source address of the originating station within the DMZ, the destination address is the address of the inside host. The ACL is then applied on the DMZ interface in the inbound direction.

access-list out_in permit tcp host 10.0.0.1 host 20.0.0.1 eq ftp
access-group out_in in interface dmz
 
if i want to connect from a client on an interface (eth2) with a security level of 100 to a host on an interface (eth3) with a security level of 50, can i still apply that access-list on the eth3 interface? will it still block connections coming in from eth2?
 
Can't remember, being honest, partly because I block everything in all directions as the first thing to do then put the holes through. So I would expressly permit the host from the dmz to the outside and block everything else.

Hope that makes sense.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top