ASA 5505: ACL to allow Email traffic only to DHCP clients?

johncwoo2 · ‎11-15-2011

Greetings All,

So here's what I think I should do to give email access only to a segment of addresses of my inside network.

1) Create a network object for 62 machines that will represent my dhcp clients. I plan to use 192.168.0.65-192.168.0.126. So I will use address 192.168.0.64 with netmask 255.255.255.192. Then set DHCP server to service this address range.

2) Create an ACL which will Permit Any to use tcp port 110 (pop3) to get to the outside. Which leads me to question #1:

How do I permit the source "Any" to communicate with "Any Less Secure Networks" like the implicit rule that gets zapped once I create new ACL? Is "Any Less Secure Network" implied by the "Any" destination?

3) Create an ACL which will Deny my DHCP range to talk to the outside.

4) Create an ACL which will Permit Any to talk to Any Less Secure Network(essentially recreating the implicit Permit ACL that got zapped).

Do you think this will work?

Thanks for any input. I truly do appreciate it.

--John

Julio Carvajal · ‎11-15-2011

Hello John,

Lets start saying that you can only have one access-group on the outbound direccion on any interface, so as soon as you apply an ACL on that interface you are going to loose the access to any less secure network unless you configure that access on an ACE ( Access List Entry).

So if what you want to do is just to allow the DHCP clients to talk to servers or clients on less secures networks on port 110 that is what you need to do ( use step # 2 ) which by the way has implied on the any the access to any other lower security level interface. So yes creating an acl to do that is going to work.

Hope this helps,

Please rate helpful post.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC