Cisco ACL

Hi,

I need to add ACLs to allow incoming SMTP only for the following ranges,
212.50.178.128 / 255.255.255.192
195.90.96.0 /  255.255.254.0  

If I just look at the the second ACL for a monent I tried the following
PERMIT TCP 195.90.96.0 0.0.1.255 EQ SMTP
but I get % Incomplete command

So I tried
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP
but this does not work (192.168.11.0/24 is the LAN)

To get mail flow I have to use
PERMIT IP 195.90.96.0 0.0.1.255

Obviously I would like to restrict this range to SMTP only - Any ideas?








nmxsupportAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
JFrederick29Connect With a Mentor Commented:
Use this syntax:

PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
                                                        ^^^
0
 
egyptcoCommented:
hi,

if you having PIX or ASA:

access-list acl PERMIT TCP any  195.90.96.0 255.255.254.0 EQ 23

if it is router:

access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23

you missing to specify the source initiating the smtp. when you use extend acls you need to give the source network as well. any means from everywhere.
 
0
 
lpackerCommented:
It appears you are using a standard ACL. What you want is an extended ACL.
acces-list <id> extended .....
Extended:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1444018
Standard:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1441213
 
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
nmxsupportAuthor Commented:
This is already an extendedl ACL.

I tried the following
PERMIT IP 195.90.96.0 0.0.1.253 EQ 25
and got the following reply
%invalid input detected at '^' marker

Any other ideas?
Should I be able to setup an ACL specifying a range of addresses allowed to access a specific port on a host internally?



0
 
egyptcoCommented:
is it not rather
access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23
                                           ^^^^

aren't your mail servers in the 195.90.96.0 network?

you can do
access-list acl PERMIT TCP 192.168.11.0 0.0.0.255 195.90.96.0 0.0.1.255 EQ 23

to permit your host from lan to open smtp port on the mail server int 195.90.96.0

what interface you are applying your acls and which direction? can you just post an output from
sh run | inc access

0
 
JFrederick29Commented:
Pretty sure the 195.90.96.0/23 servers are on the outside (incoming SMTP).

PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
0
 
egyptcoCommented:
well i must confess i'm way too sloppy. it is of cource .... eq 25 (or SMTP). shame to me_:)
0
 
egyptcoCommented:
well I dunno ... since PERMIT IP 195.90.96.0 0.0.1.255 its working i've just translated it into extended syntaxis:
PERMIT TCP any 195.90.96.0 0.0.1.255 EQ smtp
0
 
JFrederick29Commented:
Actually, in a standard ACL, the address is the source.
0
 
egyptcoCommented:
you are right... pls ignore all my comments. damn got to go back to school:P
0
 
lpackerCommented:
You syntax suggests your using a standard ACL because you are not entering a source and destination address. A previous post would have you enter the keyword 'any'  which would be the destination address.
0
 
nmxsupportAuthor Commented:
Hi to put thiings straight -

The internal LAN is 192.168.11.0 - the email server is 192.168.11.222
There is a NAT rule redirecting port 25 to this IP address
Email is filtered by an off-site mail cleansing company and the only email addresses they will send to us are 212.50.178.128 / 255.255.255.192 and 195.90.96.0 /  255.255.254.0  therfore we only want to accept incoming SMTP session from these ranges only.

JFrederick29> your suggestion has worked
I am happy with the code fragment as follows just never knew why the following did not work initially
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP



    2 permit tcp 195.90.96.0 0.0.1.255 any eq smtp (821 matches)
    3 permit tcp 212.50.178.128 0.0.0.63 any eq smtp
    15 deny tcp any any eq smtp (434 matches)

Open in new window

0
 
JFrederick29Commented:
>PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP

You can't use the LAN address as to the outside, the destination will be the public/NAT IP address of the SMTP server.

Instead of "any", you could use your public IP address range if really desired.
0
 
nmxsupportAuthor Commented:
Oh I understand that explains it!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.