03-01-2011 08:21 PM - edited 03-06-2019 03:50 PM
Hi.
We have recently had to help a client lock down their router... they had something on the inside soaking up the internet connection so we wanted to lockdown the outbound net and only allow some simple services out...
we also locked down the inbound internet as they are using a external mail filtering system.. so we only allow inbound SMTP requests from certain IP ranges..
They have an internal mail server which is 192.168.0.1 which we want to allow SMTP out, though preventing the rest of the network from accessing SMTP outbound. We are having issues applying the correct rules to only allow 192.168.0.1 to send mail... the any rule works though.
Below is a summary of our configuration
ip access-list extended internet-in
permit tcp 92.51.176.0 0.0.0.255 any eq smtp
permit tcp 92.51.177.0 0.0.0.255 any eq smtp
permit tcp 174.36.154.0 0.0.0.255 any eq smtp
permit tcp 207.154.50.0 0.0.0.255 any eq smtp
permit tcp 208.43.37.0 0.0.0.255 any eq smtp
permit tcp 208.70.88.0 0.0.0.255 any eq smtp
permit tcp 208.70.89.0 0.0.0.255 any eq smtp
permit tcp 208.70.90.0 0.0.0.255 any eq smtp
permit tcp 208.70.91.0 0.0.0.255 any eq smtp
deny tcp any any eq smtp
deny tcp any any eq 143
permit ip any any
ip access-list extended internet-out
permit tcp any any eq www
permit tcp any any eq echo
permit icmp any any echo
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq 443
permit tcp any eq 3389 any
permit tcp any eq 1723 any
permit gre any any
permit tcp any eq smtp any
deny ip any any
!
interface Dialer0
bandwidth 921
ip address negotiated
ip access-group internet-in in
ip access-group internet-out out
The rule in bold is the one we cant seam to get right. We try the following
permit tcp host 192.168.0.1 any eq smtp instead of the bold any rule thought this doesnt work...
Using the above rule.. if 192.168.0.1 is the originator of the email.. it would work. it seems it can sent the reqeusts, and the requests would come back.
If someone sends in a email, it would never arrive. We are assuming the request is coming in, though somehow my rules dont allow the traffic to go back.
Any help would be greatly appreciated.
Pete
03-01-2011 08:43 PM
You are probably NATting the internal mail server ip to a public IP address on the outside interface, therefore your rule would need to refer to the public IP address of the mail server.
03-01-2011 10:27 PM
Hi... and thanks for your quick reply.
You are correct... we are natting it...
Im a little fresh to this.. can ou give me an example of what the rule would look like? i.e. lets say for argument sake the external IP address is 202.202.202.202...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide