Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
2
Replies

Help with access lists on 877

peter.konstek
Level 1
Level 1

‎03-01-2011 08:21 PM - edited ‎03-06-2019 03:50 PM

Hi.

We have recently had to help a client lock down their router... they had something on the inside soaking up the internet connection so we wanted to lockdown the outbound net and only allow some simple services out...

we also locked down the inbound internet as they are using a external mail filtering system.. so we only allow inbound SMTP requests from certain IP ranges..


They have an internal mail server which is 192.168.0.1 which we want to allow SMTP out, though preventing the rest of the network from accessing SMTP outbound. We are having issues applying the correct rules to only allow 192.168.0.1 to send mail... the any rule works though.

Below is a summary of our configuration

ip access-list extended internet-in
permit tcp 92.51.176.0 0.0.0.255 any eq smtp
permit tcp 92.51.177.0 0.0.0.255 any eq smtp
permit tcp 174.36.154.0 0.0.0.255 any eq smtp
permit tcp 207.154.50.0 0.0.0.255 any eq smtp
permit tcp 208.43.37.0 0.0.0.255 any eq smtp
permit tcp 208.70.88.0 0.0.0.255 any eq smtp
permit tcp 208.70.89.0 0.0.0.255 any eq smtp
permit tcp 208.70.90.0 0.0.0.255 any eq smtp
permit tcp 208.70.91.0 0.0.0.255 any eq smtp
deny   tcp any any eq smtp
deny   tcp any any eq 143
permit ip any any


ip access-list extended internet-out
permit tcp any any eq www
permit tcp any any eq echo
permit icmp any any echo
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq 443
permit tcp any eq 3389 any
permit tcp any eq 1723 any
permit gre any any
permit tcp any eq smtp any
deny   ip any any
!


interface Dialer0
bandwidth 921
ip address negotiated
ip access-group internet-in in
ip access-group internet-out out

The rule in bold is the one we cant seam to get right. We try the following

permit tcp host 192.168.0.1 any eq smtp       instead of the bold any rule thought this doesnt work...

Using the above rule.. if 192.168.0.1 is the originator of the email.. it would work. it seems it can sent the reqeusts, and the requests would come back.


If someone sends in a email, it would never arrive. We are assuming the request is coming in, though somehow my rules dont allow the traffic to go back.

Any help would be greatly appreciated.

Pete

Labels:
0 Helpful
2 Replies 2

Roman Rodichev
Level 7
Level 7

‎03-01-2011 08:43 PM

You are probably NATting the internal mail server ip to a public IP address on the outside interface, therefore your rule would need to refer to the public IP address of the mail server.

0 Helpful

peter.konstek
Level 1
Level 1
In response to Roman Rodichev

‎03-01-2011 10:27 PM

Hi... and thanks for your quick reply.


You are correct... we are natting it...

Im a little fresh to this.. can ou give me an example of what the rule would look like? i.e. lets say for argument sake the external IP address is 202.202.202.202...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card