03-03-2002 09:42 PM - edited 02-20-2020 09:16 PM
I have 1 NAT static mapping(Exchange Server)in network with other PCs mapped dynamically.I want to protect my Exchange Serv coz its open to Internet.I m using this:
access-list 101 deny ip host 195.229.36.85 any
access-list 101 permit udp any host 195.229.36.85 eq domain
access-list 101 permit tcp any host 195.229.36.85 eq pop3
access-list 101 permit tcp any host 195.229.36.85 eq smtp
access-list 101 permit tcp any host 195.229.36.85 eq www
int dialer 0
ip access-group 101 in
After doing these commands mails stop going out with no Internet browsing.Can u help me brother!
Imran-Dubai
03-05-2002 08:51 PM
Hi,
I also running NAT static mapping for my Exchange Servers. Hope this config will help you.
ip nat inside source static (Exchange internal IP address) (Exchange External IP address)
(For example, 192.x is your internal IP scheme)
access-list 1 permit 192.0.0.0 0.255.255.255
access-list 100 deny ip 192.0.0.0 0.255.255.255 any log
access-list 100 permit tcp any host (Exchange External IP address)eq pop3
access-list 100 permit tcp any host (Exchange External IP address)eq smtp
access-list 100 deny ip any any log
ip access-group 100 in
Thanks.
Alan
03-06-2002 09:06 PM
Thanks, this will allow only pop3 and smtp but I want to allow BROWSING to all other PC's and Exchange Serv as well.So can u suggest me again!
Thanks
Imran
03-07-2002 10:45 AM
What I do it turn on CBAC, it will create dymanic entries into your access-list as traffic from inside your firewall goes outbound. That way your servers and PCs can surf the internet or whatever, but traffic not orriginating inside your firewall can not come in. Below is a sample config:
ip inspect one-minute low 500
ip inspect one-minute high 700
ip inspect udp idle-time 120
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name internet tcp
ip inspect name internet ftp
ip inspect name internet udp
!
interface Ethernet0/0
Description inside interface
ip address x.x.x.x x.x.x.x
ip nat inside
!
interface Serial0/0
ip address x.x.x.x x.x.x.x
ip access-group outside in
ip inspect internet out
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
! Named Access-List:
ip access-list extended outside
permit tcp x.x.x.x x.x.x.x host x.x.x.x eq www
!
ip nat translation timeout 30
ip nat translation tcp-timeout 30
ip nat inside source list 1 interface Serial0/0 overload
access-list 1 permit x.x.x.x x.x.x.x
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: