Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
6
Replies

Blocking Internet to few users alone

lmanavalan
Level 1
Level 1

‎03-23-2015 03:25 AM - edited ‎03-05-2019 01:04 AM

Hi 

in my network I have a cisco 1941 router and 3750 switch. Users are configured on vlan 2 with a/24 range. I need to block Internet and allow email for selected users.

 

i try to exclude the selected user from getting natted so their internet will be blocked but it's prevented the users from email too (users can send email but not receive). The users uses pop account to get there email

so how to block the Internet to selected users but allow only email.

 

 

regards

logesh

Labels:
0 Helpful
6 Replies 6

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-23-2015 05:38 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Assuming you have an ACL to block your /24, add an ACE to allow access to known email server IPs or open up the ports used by pop (usually port 25), or do both.

0 Helpful

lmanavalan
Level 1
Level 1
In response to Joseph W. Doherty

‎03-23-2015 04:18 PM

Hi

 

Below is the current configuration

 

ip access-list extended natpool
 deny   ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip host 10.1.1.22 any
 deny   ip host 10.1.1.23 any
 deny   ip host 10.1.1.24 any
 deny   ip host 10.1.1.25 any
 deny   ip host 10.1.1.26 any
 deny   ip host 10.1.1.27 any
 deny   ip host 10.1.1.28 any
 deny   ip host 10.1.1.29 any
 deny   ip host 10.1.1.30 any
 deny   ip host 10.1.1.35 any
 deny   ip host 10.1.1.36 any
 deny   ip host 10.1.1.37 any
 deny   ip host 10.1.1.38 any
 deny   ip host 10.1.1.39 any
 permit ip 10.1.1.0 0.0.0.255 any
!

 

 

are you suggesting me to permit the email ip in this natpool ACL

 

 

regards

Logesh

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to lmanavalan

‎03-23-2015 05:54 PM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If that's the ACL blocking access, yes.  Otherwise, email will be blocked too.

0 Helpful

lmanavalan
Level 1
Level 1
In response to Joseph W. Doherty

‎03-24-2015 04:17 PM

Hi

Below are the changes i did to the NAT ACL

 

 

ip access-list extended natpool
 deny   ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255

 permit ip 10.1.1.0 0.0.0.255 host 222.x.x.x
 deny   ip host 10.1.1.22 any
 deny   ip host 10.1.1.23 any
 deny   ip host 10.1.1.24 any
 deny   ip host 10.1.1.25 any
 deny   ip host 10.1.1.26 any
 deny   ip host 10.1.1.27 any
 deny   ip host 10.1.1.28 any
 deny   ip host 10.1.1.29 any
 deny   ip host 10.1.1.30 any
 deny   ip host 10.1.1.35 any
 deny   ip host 10.1.1.36 any
 deny   ip host 10.1.1.37 any
 deny   ip host 10.1.1.38 any
 deny   ip host 10.1.1.39 any
 permit ip 10.1.1.0 0.0.0.255 any
!

0 Helpful

Robert Falconer
Level 1
Level 1
In response to lmanavalan

‎03-25-2015 09:42 AM

The NAT ACL should be separate from an ACL used to control outbound access.

The deny element in a NAT ACL should be used to exempt host/destination pairs from NAT, usually for use in VPN connections.

If you have a VPN tunnel connecting networks with 10.1.1.0 and 10.0.0.0 addresses, then the first element is fine.

 

0 Helpful

Robert Falconer
Level 1
Level 1
In response to lmanavalan

‎03-24-2015 09:31 AM

This looks like an ACL for NAT on a router.

I think Joseph is saying that you should edit/create an ACL that permits the necessary ports for email and blocks everything else. Then apply that ACL to the LAN facing interface.

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card