We are trying to not move our Routing and DHCP to the firewall and in keeping it on the switch level but in doing so, we need to free up ACLs for some additional functionality. So, what we have is our DMZ VLAN with allow / denys for all our internal VLANs and NAT with allowable IPs from the Cloudflare IPs on ports 80/443. But when I add a deny all, it breaks external access to the web servers and I cannot determine why. Do the external allowble IPs in NAT have to be added as well or?
FW / Core stack VLANs ----- ACL allows in place for VLAN 125
9300 stack feeding servers-----ACL allows in place for VLAN 10
VMWARE----ACL allows in place for VLAN 4
Public IPs------ACL allows in place
FW CORE 9300 VMWARE WEB SUBNET
VLAN 125 VLAN 125 VLAN 10 VLAN 4