USA: +1 725-224-8795 
Sign in
The following traffic should be allowed (and all others implicitly denied).
1. Every host not in the DMZ should be able query the web server (port 80). Where do you place this rule? (Which firewalls and which direction)
2. All hosts associated with the company on should be able to establish communications with the IMAP server over SSL (port 993). What IP and port number will you include in the ACL?
3. Hosts satellite LANs should be able to establish communications with the database server (port 66). Write or describe the rule that applies to FW1.
This chart may help.
| Direction | Source IP | Source Port | Destination IP | Destination Port | Protocol | Accept/Deny |
Expert Answer
For this from every servers except DMZ , We need to provide the innound and outbound traffice
| Direction | SourceIP | SourcePort | DestinationIP | DestinationPort | Protocol | Accept/Deny |
| FW3 | 192.168.15.0/24 | 80 | 192.168.17.2 | 80 | HTTP | Accept (for inbound direction need to permit Web server FW2 |
| FW2 | 192.168.17.2/24 | 80 | 192.168.15.0 | 80 | HTTP | Accept (for outbound traffic need to permit for subnet at FW3 |
| FW4 | 192.168.16.0/24 | 80 | 192.168.17.2/24 | 80 | HTTP | Accept (for inbound direction need to permit Web server FW2 |
| FW2 | 192.168.17.2/24 | 80 | 19.168.16.0/24 | 80 | HTTP | Accept (for outbound traffic need to permit for subnet at FW4 |
| FW5 | 192.168.14.0/24 | 80 | 192.168.17.2/24 | 80 | HTTP | Accept (for inbound direction need to permit Web server FW2 |
| FW2 | 192.168.17.2/24 | 80 | 192.168.14.0/24 | 80 | HTTP | Accept (for outbound traffic need to permit for subnet at FW5 |
| FW1 | 192.169.0.0/16 | 80 | 192.168.17.2/24 | 80 | HTTP | Accept (for inbound direction need to permit Web server FW2 |
| FW2 | 192.168.17.2/24 | 80 | 192.169.0.0/16 | 80 | HTTP | Accept (for outbound traffic need to permit for subnet at FW1 |
2) Answer:
In this question, I’m giving answer with respect to single firewall direction. Remainig all similar to all firewalls.
FW5(config)#interface fa0/0 (inbound interface toward WAN)
FW5(config-if)#access-group 110 permit out
Command should be follow to make configuration between FW5 & FW2
FW5(config)#access-list 110 permit 192.168.14.0 0.0.0.255 host 192.168.17.1 0.0.0.255 993
FW2(config)#interface fa0/0 (toward interface for FW5)
FW2(config-if)# access-group 110 permit out
FW2(config)# access-list 110 permit host 192.168.17.1 0.0.0.255 192.168.14.0 0.0.0.255 993
Same thing will be applicable for remaing firewalls.
3) Answer:
Traffic towards FW1 must be permitted from Satellite firewalls(FW3&FW4&FW5) for port 66
Now providing the answer for FW3 to FW1 , remaing would be same. In this scenario we try to define the rule at FW1 wrt FW3:
For FW1
FW1(config)#interface fa0/0 (toward interface for FW5)
FW1(config-if)# access-group 110 permit out
FW1(config)# access-list 110 permit host 192.169.0.1 0.0.0.255 192.168.15.0 0.0.0.255 66
At FW2, we need to permit all traffic coming from FW3, FW4, FW5 for both inbound and outbound direction..so that FW2 can pass traffic at both direction..
FW2(config)#access-list 10 permit 192.169.0.0 0.0.0.255 192.168.15.0 0.0.0.255
FW2(config)#access-list 10 permit 192.169.0.0 0.0.0.255 192.168.14.0 0.0.0.255
FW2(config)#access-list 10 permit 192.169.0.0 0.0.0.255 192.168.16.0 0.0.0.255
FW2(config)#interface fa0/0 (interface toward inbound direction)
FW2(config-if)#access-group 10 permit in
FW2(config)#interface fa0/1 (interface toward outbound direction)
FW2(config-if)#access-group 10 permit out
