Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ACL

Posted on 2009-03-30
14
Medium Priority
?
441 Views
Last Modified: 2012-05-06
Hi,

I need to add ACLs to allow incoming SMTP only for the following ranges,
212.50.178.128 / 255.255.255.192
195.90.96.0 /  255.255.254.0  

If I just look at the the second ACL for a monent I tried the following
PERMIT TCP 195.90.96.0 0.0.1.255 EQ SMTP
but I get % Incomplete command

So I tried
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP
but this does not work (192.168.11.0/24 is the LAN)

To get mail flow I have to use
PERMIT IP 195.90.96.0 0.0.1.255

Obviously I would like to restrict this range to SMTP only - Any ideas?








0
Comment
Question by:nmxsupport
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24017529
hi,

if you having PIX or ASA:

access-list acl PERMIT TCP any  195.90.96.0 255.255.254.0 EQ 23

if it is router:

access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23

you missing to specify the source initiating the smtp. when you use extend acls you need to give the source network as well. any means from everywhere.
 
0
 
LVL 4

Expert Comment

by:lpacker
ID: 24017580
It appears you are using a standard ACL. What you want is an extended ACL.
acces-list <id> extended .....
Extended:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1444018
Standard:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1441213
 
0
 

Author Comment

by:nmxsupport
ID: 24017823
This is already an extendedl ACL.

I tried the following
PERMIT IP 195.90.96.0 0.0.1.253 EQ 25
and got the following reply
%invalid input detected at '^' marker

Any other ideas?
Should I be able to setup an ACL specifying a range of addresses allowed to access a specific port on a host internally?



0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24017834
Use this syntax:

PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
                                                        ^^^
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018020
is it not rather
access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23
                                           ^^^^

aren't your mail servers in the 195.90.96.0 network?

you can do
access-list acl PERMIT TCP 192.168.11.0 0.0.0.255 195.90.96.0 0.0.1.255 EQ 23

to permit your host from lan to open smtp port on the mail server int 195.90.96.0

what interface you are applying your acls and which direction? can you just post an output from
sh run | inc access

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24018053
Pretty sure the 195.90.96.0/23 servers are on the outside (incoming SMTP).

PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018059
well i must confess i'm way too sloppy. it is of cource .... eq 25 (or SMTP). shame to me_:)
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018137
well I dunno ... since PERMIT IP 195.90.96.0 0.0.1.255 its working i've just translated it into extended syntaxis:
PERMIT TCP any 195.90.96.0 0.0.1.255 EQ smtp
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24018151
Actually, in a standard ACL, the address is the source.
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018198
you are right... pls ignore all my comments. damn got to go back to school:P
0
 
LVL 4

Expert Comment

by:lpacker
ID: 24018311
You syntax suggests your using a standard ACL because you are not entering a source and destination address. A previous post would have you enter the keyword 'any'  which would be the destination address.
0
 

Author Comment

by:nmxsupport
ID: 24018326
Hi to put thiings straight -

The internal LAN is 192.168.11.0 - the email server is 192.168.11.222
There is a NAT rule redirecting port 25 to this IP address
Email is filtered by an off-site mail cleansing company and the only email addresses they will send to us are 212.50.178.128 / 255.255.255.192 and 195.90.96.0 /  255.255.254.0  therfore we only want to accept incoming SMTP session from these ranges only.

JFrederick29> your suggestion has worked
I am happy with the code fragment as follows just never knew why the following did not work initially
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP



    2 permit tcp 195.90.96.0 0.0.1.255 any eq smtp (821 matches)
    3 permit tcp 212.50.178.128 0.0.0.63 any eq smtp
    15 deny tcp any any eq smtp (434 matches)

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24018339
>PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP

You can't use the LAN address as to the outside, the destination will be the public/NAT IP address of the SMTP server.

Instead of "any", you could use your public IP address range if really desired.
0
 

Author Comment

by:nmxsupport
ID: 24018407
Oh I understand that explains it!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question