MCHDMISDEPT
asked on
Allow email access from seperate VLAN
Have a VLAN that is on set to 172.17.1.1
Our mail server is a different VLAN 172.16.0.0 network...
Need certain users on the 172.17.1.1 VLAN to be able to get email from the 172.16.0.0 network...I have a core switch 4507R, what sort of access-list needs to be put in?
Our mail server is a different VLAN 172.16.0.0 network...
Need certain users on the 172.17.1.1 VLAN to be able to get email from the 172.16.0.0 network...I have a core switch 4507R, what sort of access-list needs to be put in?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I do have layer 3 routing configured on the switch...I also have a LAN to LAN setup between this network and ours...I HAVE A CORRECTION: Their network is provided by their ISP. I now have a LAN to LAN configured between their office and mine. Their outside IP is 209.40.171.x I want to be able to provide access to our email server for EXCHANGE and POP mail. Please advise.
permit ip host 172.17.1.10 any (4024 matches)
20 permit tcp any host 172.16.1.1 eq telnet (7273 matches)
30 permit tcp any host 172.16.1.2 eq telnet (37567 matches)
40 permit tcp any host 172.16.1.3 eq telnet (3 matches)
50 permit tcp any host 172.16.0.25 eq 143
60 permit udp 172.17.1.0 0.0.0.255 host 172.16.0.22 eq domain (1077 matches)
70 permit udp 172.17.1.0 0.0.0.255 host 172.16.0.23 eq domain (1365 matches)
80 permit icmp any host 172.17.1.1 (855 matches)
90 permit tcp host 172.17.1.2 eq www 172.16.0.0 0.0.255.255 (1433 matches)
100 permit tcp host 172.17.1.3 eq www 172.16.0.0 0.0.255.255 (875 matches)
110 permit tcp host 172.17.1.4 eq www 172.16.0.0 0.0.255.255 (10 matches)
120 permit tcp host 172.17.1.5 eq www 172.16.0.0 0.0.255.255 (836 matches)
130 permit tcp host 172.17.1.6 eq www 172.16.0.0 0.0.255.255 (632 matches)
140 permit tcp host 172.17.1.7 eq www 172.16.0.0 0.0.255.255 (263 matches)
150 deny ip any 172.16.0.0 0.15.255.255 (75050 matches)
160 permit ip any any (352996 matches)
MCH-4507R#
permit ip host 172.17.1.10 any (4024 matches)
20 permit tcp any host 172.16.1.1 eq telnet (7273 matches)
30 permit tcp any host 172.16.1.2 eq telnet (37567 matches)
40 permit tcp any host 172.16.1.3 eq telnet (3 matches)
50 permit tcp any host 172.16.0.25 eq 143
60 permit udp 172.17.1.0 0.0.0.255 host 172.16.0.22 eq domain (1077 matches)
70 permit udp 172.17.1.0 0.0.0.255 host 172.16.0.23 eq domain (1365 matches)
80 permit icmp any host 172.17.1.1 (855 matches)
90 permit tcp host 172.17.1.2 eq www 172.16.0.0 0.0.255.255 (1433 matches)
100 permit tcp host 172.17.1.3 eq www 172.16.0.0 0.0.255.255 (875 matches)
110 permit tcp host 172.17.1.4 eq www 172.16.0.0 0.0.255.255 (10 matches)
120 permit tcp host 172.17.1.5 eq www 172.16.0.0 0.0.255.255 (836 matches)
130 permit tcp host 172.17.1.6 eq www 172.16.0.0 0.0.255.255 (632 matches)
140 permit tcp host 172.17.1.7 eq www 172.16.0.0 0.0.255.255 (263 matches)
150 deny ip any 172.16.0.0 0.15.255.255 (75050 matches)
160 permit ip any any (352996 matches)
MCH-4507R#
Where is this LAN-LAN setup ? Is it a VPN tunnel? Hard wired? Different VLAN?
Where do you have this access-list applied? It appears to be an outbound access-list....
Where is your exchange/pop server in realation to this?
I'd have to see the complete config of your 4507R to be much more help.. I need the big picture here..
Where do you have this access-list applied? It appears to be an outbound access-list....
Where is your exchange/pop server in realation to this?
I'd have to see the complete config of your 4507R to be much more help.. I need the big picture here..
ASKER
LAN to LAN is from PIX 501 to Concentrator 3000...yes, it is a VPN tunnel. No NOT a different VLAN. The exchange server is on 172.16.0.x network. In the concentrator I have defined network lists that associate with only certain ip's on the 172.16.0.x network...these are working fine...except for mail.
Does your network list on the 3000 include the mail server lan? I assume yes since everything else works.
Any other restrictions on the 3000 access-list?
Is there an acl applied to the VLAN interface facing the 172.16.0.x subnet where the server lives? You posted an acl for the 172.17.0.x VLAN...
Any other restrictions on the 3000 access-list?
Is there an acl applied to the VLAN interface facing the 172.16.0.x subnet where the server lives? You posted an acl for the 172.17.0.x VLAN...
Are you using a router between the networks?
you need someway to get from the 127.17.x.x. network to the 127.16.x.x network
Just my first thoughts