cisco 2651XM router IOS: c2600-adventerprisek9-mz.124-15.T8.bin with adsl card (Dialer0)
I'm struggling to knock up an access list that will block all port 25 and port 110 traffic through the adsl card, except for ip's I specify. Is that possible? the reason for this is as an added layer of protection for a mail server. I know I have to work on the mail server too but I wanted this access list restriction in the router. I searched on google but none of the commands I found worked for me. thanks for any advice.
just to clarify: - the ip's I want to permit on port 25 and 100 are out there on the internet, not on my own LAN. example:
12.34.56.78 is a valid customer who needs to send and receive mail using the mail server on my lan
98.76.54.32 is a rogue who wants to spam using my smtp server. The access list would permit 12.34.56.78 to send and receive mail using my server but no-one else. All other traffic (eg www, ftp, telnet) would be unaffected.
If you have the firewall features (no idea of that is in yours or not) that you could simplify the following with inspect statements however this will have better performance and will I think work.
I have just left the long lines to sort themselves out. Sorry.
ip access-list e ACL-internet-in ! Allow inbound connections from trusted hosts permit tcp host trusted-mailer1 host my-smtpserver1 eq 25 ! see out
**1 - for response permit tcp host trusted-mailer1 host my-smtpserver1 eq 110 ! see out
**2 - for response
permit tcp host trusted-mailer2 host my-smtpserver1 eq 25 ! see out
**5 - for response permit tcp host trusted-mailer2 host my-smtpserver1 eq 110 ! see out
**6 - for response
! Allow responses from ANY host we send mail to permit tcp any host my-smtpserver1 eq 25 established ! see out **3 permit tcp any host my-smtpserver1 eq 110 established ! see out **4
! Deny all other TCP port 25, 110 traffic deny tcp any any eq 25 deny tcp any any eq 110 deny tcp any eq 25 any deny tcp any eq 100 any
permit ip any any ! let everything else through
ip access-list e ACL-internet-out ! Allow responses to inbound connections permit tcp host my-smtpserver1 eq 25 host trusted-mailer1 established ! see in **1 permit tcp host my-smtpserver1 eq 110 host trusted-mailer1 established ! see in **2
permit tcp host my-smtpserver1 eq 25 host trusted-mailer2 established ! see in **5 permit tcp host my-smtpserver1 eq 110 host trusted-mailer2 established ! see in **6
! We can send mail to anyone permit tcp host my-smtpserver1 host any eq 25 ! see in **3 permit tcp host my-smtpserver1 host any eq 110 ! see out **4 don't suppose you need this
! Deny all other TCP port 25, 110 traffic deny tcp any any eq 25 deny tcp any any eq 110 deny tcp any eq 25 any deny tcp any eq 100 any
permit ip any any ! let everything else through
int dial 0 access-group ACL-internet-in in access-group ACL-internet-out out
You could resasonably replace "host my-smtpserver1" with "any" in the above if that suited you.
When editing access-lists you should have a plan to restore management access to the router after you have accidentally cut yourself off. e.g. "reload in 20".
The general principle of an access list remains the same:
You compose a list of rules that is evaluated one by one, from the top down, until one matches your traffic. The one that matches decides if the traffic will be permitted or denied.
So you need to first permit smtp traffic from the servers you want, then deny all smtp traffic from all servers, then permit all other ip traffic.
ok thanks for that but following your principle here I still can't get an access-list that works and I've tried many different combinations. I just need some kind of real example to go on - something that matches the traffic requirements as outlined.
You have been provided examples of the ACL you need to create. If you can not READ them and implement them, perhaps you should pay someone to do this, as you seem to not grasp the concept of *Examples*
I have read them but found it difficult to implement them, despite trying for several hours. The access lists I've created either fail to allow the correct traffic through or fail to stop that which I want to deny. I'm finding it hard going and this group has been a good resource for help in the past, but with venomous comments like 'pay someone' I think I'll now look elsewhere for help.
I tried a lot of different acl configs and I thought it inappropriate to post all the failed attempts I tried. What I'm after is an acl that allows port 25 and 110 traffic in through the adsl card but only for outside ip's I specify. All other ip's trying to get into the router through the adsl card on port 25 and 110 should be blocked. As a beginner I don't even know if such an acl is possible but if it is I'd like to knock one up.
I think why they are pushing you to answer is because its such a basic ACL, that just about anything you've tried should work? What didn't work? What have you done that didn't work?
ip access-list ext mailserver permit tcp host 200.0.0.1 any eq 110 permit tcp host 200.2.3.1 any eq 25 deny tcp host any any eq 110 deny tcp host any any eq 25 permit ip any any
Apply this to your outside facing L3 interface, probably a dialer interface?
what didn't work was every variation I tried around: access-list 105 permit tcp host 200.0.0.1 any eq 25 access-list 105 permit tcp host 200.0.0.1 any eq 110 access-list 105 deny tcp any any eq 25 access-list 105 deny tcp any any eq 110 access-list 105 permit ip any any
the above and variations of the above either failed to let the specified ip through, or failed to stop unspecified ip's getting through, or stopped everything or allowed everything.
ah yes this worked. I didn't realise you could have access-lists defined by name. I thought they had to be numbered and when I tried access-list 105 ext...I got 'unrecognised command'. thanks for your pointers Doug, it's a relief to make some progress and I've also learnt stuff as well.
'ext' or 'extended' is part of the newer style extended access-list which can be named. They also offer better features, like sequence numbers (ie. you can insert ACL statements in between others or delete specific ACL statements by specifying their sequence number, instead of wiping out the list and redoing it), and putting documentation in there with remark statements.
I think the books and training don't teach them much, just doing the old school numbered access-list because thats all people had for years and years and years. Thus many people don't realize that you have these features.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.