I'm trying to setup a service for an application that resides in a data center behind an internet facing 128T router (public IP of 74.200.44.20/32). I would like to configure an ACL to only allow traffic from a specific subnet to access this application (and to deny all other sources).
In my example I've created a public service called ""public-service"". ? The scope is set to `public`. I want to forward TCP ports 22, 80 and 443 to a specific server at 172.100.128.20/32. I also only want to allow traffic sourced from the 161.97.200.60/24 subnet to reach this server.
I believe I first need the service definition:
service public-service
name public-service
enabled true
scope public
security aes2
¾
transport tcp
protocol tcp
¾
port-range 22
start-port 22
exit
¾
port-range 443
start-port 443
exit
¾
port-range 80
start-port 80
exit
exit
address 74.200.44.20/32
¾
access-policy 161.97.200.60/24
source 161.97.200.60/24
permission allow
exit
share-service-routes false
exit
I believe I also need a service-route that performs a destination NAT from the public IP address to the server hosting the application:
service-route dnat-to-public-service
name dnat-to-public-service
service-name public-service
nat-target 172.100.128.20
exit
Several questions:
1 - Is this the optimal configuration to support this type of service?
2 - What role, if any, does the `security` parameter play in the service definition?
3 - Does the `access-policy` of `allow` inherently deny all sources outside of the specified subnet?
Thank you!
P.S. The public IP's in the example are fabricated...