access-list outside_in deny ip 0.0.0.0 255.0.0.0 any
access-list outside_in deny ip 10.0.0.0 255.0.0.0 any
access-list outside_in deny ip 127.0.0.0 255.0.0.0 any
access-list outside_in deny ip 172.16.0.0 255.240.0.0 any
access-list outside_in deny ip 192.168.0.0 255.255.0.0 any
access-list outside_in deny ip 224.0.0.0 224.0.0.0 any
access-list outside_in permit tcp any host web eq http
access-list outside_in permit tcp any host dns eq domain
access-list outside_in permit udp any host dns eq domain
object-group icmp-outside-in
access-list outside_in deny ip 0.0.0.0 255.0.0.0 any
access-list outside_in deny ip 10.0.0.0 255.0.0.0 any
access-list outside_in deny ip 127.0.0.0 255.0.0.0 any
access-list outside_in deny ip 172.16.0.0 255.240.0.0 any
access-list outside_in deny ip 192.168.0.0 255.255.0.0 any
access-list outside_in deny ip 224.0.0.0 224.0.0.0 any
I guess this part is not required as by default the inbound access would be restricted for the above mentioned Network addresses and you don't need to deny by specifying it.
The route command, CONDUITS and ACL's should pretty much allow the LAN1 to reach the internet.
Joined: 28 Oct 2002 Posts: 16777215 Location: Chicago, IL US
Posted: Wed Nov 08, 2006 11:26 pm Post subject:
riyaz145 wrote:
I guess this part is not required as by default the inbound access would be restricted for the above mentioned Network addresses and you don't need to deny by specifying it.
You're right its not necessary to explicitly deny these addresses as the explicit or implicit deny at the end of the ACL will drop those packets. It is, however, common practice to add those source networks at the beginning of an "external ACL". This allows the firewall to drop bogus source addresses (bogons) early in the ACL. This can speed things up if a more complex ACL is in use.
Also please refrain from using or advising others to use the conduit and outbound commands. While these commands are still available in the 6.x series they have been removed from 7.x. Please use access-lists in order to permit and deny access across interfaces.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum