cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
612
Views
0
Helpful
3
Replies

Access List with NAT(Static) for Security??

imran
Level 1
Level 1

I have 1 NAT static mapping(Exchange Server)in network with other PCs mapped dynamically.I want to protect my Exchange Serv coz its open to Internet.I m using this:

access-list 101 deny ip host 195.229.36.85 any

access-list 101 permit udp any host 195.229.36.85 eq domain

access-list 101 permit tcp any host 195.229.36.85 eq pop3

access-list 101 permit tcp any host 195.229.36.85 eq smtp

access-list 101 permit tcp any host 195.229.36.85 eq www

int dialer 0

ip access-group 101 in

After doing these commands mails stop going out with no Internet browsing.Can u help me brother!

Imran-Dubai

3 Replies 3

slleong
Level 1
Level 1

Hi,

I also running NAT static mapping for my Exchange Servers. Hope this config will help you.

ip nat inside source static (Exchange internal IP address) (Exchange External IP address)

(For example, 192.x is your internal IP scheme)

access-list 1 permit 192.0.0.0 0.255.255.255

access-list 100 deny ip 192.0.0.0 0.255.255.255 any log

access-list 100 permit tcp any host (Exchange External IP address)eq pop3

access-list 100 permit tcp any host (Exchange External IP address)eq smtp

access-list 100 deny ip any any log

ip access-group 100 in

Thanks.

Alan

Thanks, this will allow only pop3 and smtp but I want to allow BROWSING to all other PC's and Exchange Serv as well.So can u suggest me again!

Thanks

Imran

What I do it turn on CBAC, it will create dymanic entries into your access-list as traffic from inside your firewall goes outbound. That way your servers and PCs can surf the internet or whatever, but traffic not orriginating inside your firewall can not come in. Below is a sample config:

ip inspect one-minute low 500

ip inspect one-minute high 700

ip inspect udp idle-time 120

ip inspect tcp max-incomplete host 100 block-time 0

ip inspect name internet tcp

ip inspect name internet ftp

ip inspect name internet udp

!

interface Ethernet0/0

Description inside interface

ip address x.x.x.x x.x.x.x

ip nat inside

!

interface Serial0/0

ip address x.x.x.x x.x.x.x

ip access-group outside in

ip inspect internet out

ip nat outside

!

ip route 0.0.0.0 0.0.0.0 Serial0/0

!

! Named Access-List:

ip access-list extended outside

permit tcp x.x.x.x x.x.x.x host x.x.x.x eq www

!

ip nat translation timeout 30

ip nat translation tcp-timeout 30

ip nat inside source list 1 interface Serial0/0 overload

access-list 1 permit x.x.x.x x.x.x.x

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: