cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
389
Views
0
Helpful
6
Replies

Blocking Internet to few users alone

lmanavalan
Level 1
Level 1

Hi 

in my network I have a cisco 1941 router and 3750 switch. Users are configured on vlan 2 with a/24 range. I need to block Internet and allow email for selected users.

 

i try to exclude the selected user from getting natted so their internet will be blocked but it's prevented the users from email too (users can send email but not receive). The users uses pop account to get there email

so how to block the Internet to selected users but allow only email.

 

 

regards

logesh

6 Replies 6

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Assuming you have an ACL to block your /24, add an ACE to allow access to known email server IPs or open up the ports used by pop (usually port 25), or do both.

Hi

 

Below is the current configuration

 

ip access-list extended natpool
 deny   ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip host 10.1.1.22 any
 deny   ip host 10.1.1.23 any
 deny   ip host 10.1.1.24 any
 deny   ip host 10.1.1.25 any
 deny   ip host 10.1.1.26 any
 deny   ip host 10.1.1.27 any
 deny   ip host 10.1.1.28 any
 deny   ip host 10.1.1.29 any
 deny   ip host 10.1.1.30 any
 deny   ip host 10.1.1.35 any
 deny   ip host 10.1.1.36 any
 deny   ip host 10.1.1.37 any
 deny   ip host 10.1.1.38 any
 deny   ip host 10.1.1.39 any
 permit ip 10.1.1.0 0.0.0.255 any
!

 

 

are you suggesting me to permit the email ip in this natpool ACL

 

 

regards

Logesh

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

If that's the ACL blocking access, yes.  Otherwise, email will be blocked too.

Hi

Below are the changes i did to the NAT ACL

 

 

ip access-list extended natpool
 deny   ip 10.1.1.0 0.0.0.255 10.0.0.0 0.255.255.255

 permit ip 10.1.1.0 0.0.0.255 host 222.x.x.x
 deny   ip host 10.1.1.22 any
 deny   ip host 10.1.1.23 any
 deny   ip host 10.1.1.24 any
 deny   ip host 10.1.1.25 any
 deny   ip host 10.1.1.26 any
 deny   ip host 10.1.1.27 any
 deny   ip host 10.1.1.28 any
 deny   ip host 10.1.1.29 any
 deny   ip host 10.1.1.30 any
 deny   ip host 10.1.1.35 any
 deny   ip host 10.1.1.36 any
 deny   ip host 10.1.1.37 any
 deny   ip host 10.1.1.38 any
 deny   ip host 10.1.1.39 any
 permit ip 10.1.1.0 0.0.0.255 any
!

The NAT ACL should be separate from an ACL used to control outbound access.

The deny element in a NAT ACL should be used to exempt host/destination pairs from NAT, usually for use in VPN connections.

If you have a VPN tunnel connecting networks with 10.1.1.0 and 10.0.0.0 addresses, then the first element is fine.

 

This looks like an ACL for NAT on a router.

I think Joseph is saying that you should edit/create an ACL that permits the necessary ports for email and blocks everything else. Then apply that ACL to the LAN facing interface.

 

 

 

 

Review Cisco Networking for a $25 gift card