Solved: ACL - What am I doing wrong?

tim.meyer · ‎04-21-2013

No, I am not talking aout my knee....

I have a 2621 router - old. but works well.

Need to put in an ACL to limit the inbound SMTP traffic to be FROM a specific set of IP's, and deny all others.

I have tried various combinations with no luck. Something obvious, I am sure.

I have applied the ACL to either interface, both in and out, but no luck.

When I do a show access lists 160 it shows all SMTP traffic being snagged by the SMTP deny statement. All other traffic works correctly.

Thoughts anyone?

Here is my config so far...

Current configuration : 3093 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxxxxxxxxx
!
logging rate-limit console 10 except errors
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip finger
ip domain-name xxxxxxxxxxxx.xxx
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
ip dhcp excluded-address 10.0.0.0 10.0.0.99
!
ip dhcp pool BigBob
   network 10.0.0.0 255.255.255.0
   domain-name xxxxxxxxx.xxx
   dns-server xx.xx.xx.xx xx.xx.xx.xx
   default-router 10.0.0.1
!
no ip bootp server
no ip dhcp-client network-discovery
!
call rsvp-sync
!
!
interface FastEthernet0/0
ip address 99.xxx.xxx.157 255.255.255.248

Current configuration : 3093 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxxxxxxxxx
!
logging rate-limit console 10 except errors
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip finger
ip domain-name xxxxxxxxxxxx.xxx
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
ip dhcp excluded-address 10.0.0.0 10.0.0.99
!
ip dhcp pool BigBob
   network 10.0.0.0 255.255.255.0
   domain-name xxxxxxxxx.xxx
   dns-server xx.xx.xx.xx xx.xx.xx.xx
   default-router 10.0.0.1
!
no ip bootp server
no ip dhcp-client network-discovery
!
call rsvp-sync
!
interface FastEthernet0/0
ip address 99.xxx.xxx.157 255.255.255.248

ip access-group 160 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0

ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip nat inside
duplex auto
speed auto
no cdp enable
!
ip default-gateway 99.xx.xx.158
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.0.109 3389 99.xxx.xxx.157 3389 extendable
ip nat inside source static tcp 10.0.0.2 585 99.xxx.xxx.157 585 extendable
ip nat inside source static tcp 10.0.0.2 143 99.xxx.xxx.157 143 extendable
ip nat inside source static tcp 10.0.0.2 110 99.xxx.xxx.157 110 extendable
ip nat inside source static tcp 10.0.0.2 80 99.xxx.xxx.157 80 extendable
ip nat inside source static tcp 10.0.0.2 443 99.xxx.xxx.157 443 extendable
ip nat inside source static tcp 10.0.0.95 2438 99.xxx.xxx.157 2438 extendable
ip nat inside source static tcp 10.0.0.95 1632 99.xxx.xxx.157 1632 extendable
ip nat inside source static tcp 10.0.0.95 1634 99.xxx.xxx.157 1634 extendable
ip nat inside source static tcp 10.0.0.2 25 99.xxx.xxx.157 25 extendable
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 99.xx.xx.158
no ip http server
!
access-list 1 permit any
access-list 160 permit tcp 209.213.83.0 0.0.0.255 host 10.0.0.2 eq smtp
access-list 160 permit tcp 74.118.76.0 0.0.0.255 host 10.0.0.2 eq smtp
access-list 160 permit tcp 50.202.38.0 0.0.0.255 host 10.0.0.2 eq smtp
access-list 160 deny   tcp any any eq smtp
access-list 160 deny   ip 172.16.0.0 0.15.255.255 any
access-list 160 deny   ip 192.168.0.0 0.0.255.255 any
access-list 160 deny   ip 127.0.0.0 0.255.255.255 any
access-list 160 deny   ip 224.0.0.0 7.255.255.255 any
access-list 160 deny   ip 169.254.0.0 0.0.255.255 any
access-list 160 deny   ip 255.0.0.0 0.255.255.255 any
access-list 160 deny   ip host 0.0.0.0 any
access-list 160 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
dial-peer cor custom
!
!
!
!
!
line con 0
logging synchronous
transport input none
line aux 0
line vty 0 4
access-class 1 in
password xxxxxxxxxxx
login
line vty 5 14
password xxxxxxxxxxx
login
line vty 15
password xxxxxxxxxxxxxx
login
!
end

Jouni Forss · ‎04-21-2013

Hi,

Shouldnt you be using the Public NAT IP address in the SMTP allowing statements?

access-list 160 permit tcp 209.213.83.0 0.0.0.255 host 99.xxx.xxx.157 eq smtp

access-list 160 permit tcp 74.118.76.0 0.0.0.255 host 99.xxx.xxx.157 eq smtp

access-list 160 permit tcp 50.202.38.0 0.0.0.255 host 99.xxx.xxx.157 eq smtp

access-list 160 deny tcp any any eq smtp

access-list 160 deny ip 172.16.0.0 0.15.255.255 any

access-list 160 deny ip 192.168.0.0 0.0.255.255 any

access-list 160 deny ip 127.0.0.0 0.255.255.255 any

access-list 160 deny ip 224.0.0.0 7.255.255.255 any

access-list 160 deny ip 169.254.0.0 0.0.255.255 any

access-list 160 deny ip 255.0.0.0 0.255.255.255 any

access-list 160 deny ip host 0.0.0.0 any

access-list 160 permit ip any any

- Jouni

View solution in original post

Jouni Forss · ‎04-21-2013

Hi,

Shouldnt you be using the Public NAT IP address in the SMTP allowing statements?

access-list 160 permit tcp 209.213.83.0 0.0.0.255 host 99.xxx.xxx.157 eq smtp

access-list 160 permit tcp 74.118.76.0 0.0.0.255 host 99.xxx.xxx.157 eq smtp

access-list 160 permit tcp 50.202.38.0 0.0.0.255 host 99.xxx.xxx.157 eq smtp

access-list 160 deny tcp any any eq smtp

access-list 160 deny ip 172.16.0.0 0.15.255.255 any

access-list 160 deny ip 192.168.0.0 0.0.255.255 any

access-list 160 deny ip 127.0.0.0 0.255.255.255 any

access-list 160 deny ip 224.0.0.0 7.255.255.255 any

access-list 160 deny ip 169.254.0.0 0.0.255.255 any

access-list 160 deny ip 255.0.0.0 0.255.255.255 any

access-list 160 deny ip host 0.0.0.0 any

access-list 160 permit ip any any

- Jouni

tim.meyer · ‎04-21-2013

That is a combination I did not try yet. It will try it Monday and find out for sure.

Why would I need a NAT statement on the outside while working with public IP's? (truly asking, not being a smart @ss)

In the mean time, if anyone else has any ideas please feel free to mention them....

It has been some time since I programmed one of these, as you can tell.

Jouni Forss · ‎04-21-2013

Hi,

Well to me it seems you have several Static PAT / Port Forward NAT configurations on the router

ip nat inside source static tcp 10.0.0.109 3389 99.xxx.xxx.157 3389 extendable

ip nat inside source static tcp 10.0.0.2 585 99.xxx.xxx.157 585 extendable

ip nat inside source static tcp 10.0.0.2 143 99.xxx.xxx.157 143 extendable

ip nat inside source static tcp 10.0.0.2 110 99.xxx.xxx.157 110 extendable

ip nat inside source static tcp 10.0.0.2 80 99.xxx.xxx.157 80 extendable

ip nat inside source static tcp 10.0.0.2 443 99.xxx.xxx.157 443 extendable

ip nat inside source static tcp 10.0.0.95 2438 99.xxx.xxx.157 2438 extendable

ip nat inside source static tcp 10.0.0.95 1632 99.xxx.xxx.157 1632 extendable

ip nat inside source static tcp 10.0.0.95 1634 99.xxx.xxx.157 1634 extendable

ip nat inside source static tcp 10.0.0.2 25 99.xxx.xxx.157 25 extendable

The last one of those is for SMTP which you are trying to get working. The configuration basically tells that when traffic from Internet is coming towards 99.xxx.xxx.157 with destination port TCP/25 (SMTP) then the traffic should be forwarded to the LAN host 10.0.0.2 on port TCP/25.

Now when we look at the ACL you have configured.

You have an ACL named "106". It is attached to the WAN interface in the direction "in". This means it will be controlling packet headed towards the WAN interface from the Internet.

Since this traffic is SMTP traffic from the Internet then naturally it will be heading towards your public IP address, which is the NAT IP address. Therefore the destination IP address in the ACL "106" should be the public IP address that is visible to the Internet and not the LAN IP address 10.0.0.2

- Jouni

tim.meyer · ‎04-21-2013

I will be able to try that on Monday morning. Hopefully that will work.

Thanks for the help, and I will report back with the results then...

tim.meyer · ‎04-22-2013

That worked! I appreciate the explanation as well. Will never make that mistake again....

Cheers!

Jouni Forss · ‎04-22-2013

No problem,

Glad you got it working

- Jouni