nmxsupport
asked on
Cisco ACL
Hi,
I need to add ACLs to allow incoming SMTP only for the following ranges,
212.50.178.128 / 255.255.255.192
195.90.96.0 / 255.255.254.0
If I just look at the the second ACL for a monent I tried the following
PERMIT TCP 195.90.96.0 0.0.1.255 EQ SMTP
but I get % Incomplete command
So I tried
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP
but this does not work (192.168.11.0/24 is the LAN)
To get mail flow I have to use
PERMIT IP 195.90.96.0 0.0.1.255
Obviously I would like to restrict this range to SMTP only - Any ideas?
I need to add ACLs to allow incoming SMTP only for the following ranges,
212.50.178.128 / 255.255.255.192
195.90.96.0 / 255.255.254.0
If I just look at the the second ACL for a monent I tried the following
PERMIT TCP 195.90.96.0 0.0.1.255 EQ SMTP
but I get % Incomplete command
So I tried
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP
but this does not work (192.168.11.0/24 is the LAN)
To get mail flow I have to use
PERMIT IP 195.90.96.0 0.0.1.255
Obviously I would like to restrict this range to SMTP only - Any ideas?
It appears you are using a standard ACL. What you want is an extended ACL.
acces-list <id> extended .....
Extended:
http://www.cisco.com/en/US /docs/secu rity/asa/a sa72/comma nd/referen ce/a1_72.h tml#wp1444 018
Standard:
http://www.cisco.com/en/US /docs/secu rity/asa/a sa72/comma nd/referen ce/a1_72.h tml#wp1441 213
acces-list <id> extended .....
Extended:
http://www.cisco.com/en/US
Standard:
http://www.cisco.com/en/US
ASKER
This is already an extendedl ACL.
I tried the following
PERMIT IP 195.90.96.0 0.0.1.253 EQ 25
and got the following reply
%invalid input detected at '^' marker
Any other ideas?
Should I be able to setup an ACL specifying a range of addresses allowed to access a specific port on a host internally?
I tried the following
PERMIT IP 195.90.96.0 0.0.1.253 EQ 25
and got the following reply
%invalid input detected at '^' marker
Any other ideas?
Should I be able to setup an ACL specifying a range of addresses allowed to access a specific port on a host internally?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
is it not rather
access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23
^^^^
aren't your mail servers in the 195.90.96.0 network?
you can do
access-list acl PERMIT TCP 192.168.11.0 0.0.0.255 195.90.96.0 0.0.1.255 EQ 23
to permit your host from lan to open smtp port on the mail server int 195.90.96.0
what interface you are applying your acls and which direction? can you just post an output from
sh run | inc access
access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23
^^^^
aren't your mail servers in the 195.90.96.0 network?
you can do
access-list acl PERMIT TCP 192.168.11.0 0.0.0.255 195.90.96.0 0.0.1.255 EQ 23
to permit your host from lan to open smtp port on the mail server int 195.90.96.0
what interface you are applying your acls and which direction? can you just post an output from
sh run | inc access
Pretty sure the 195.90.96.0/23 servers are on the outside (incoming SMTP).
PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
well i must confess i'm way too sloppy. it is of cource .... eq 25 (or SMTP). shame to me_:)
well I dunno ... since PERMIT IP 195.90.96.0 0.0.1.255 its working i've just translated it into extended syntaxis:
PERMIT TCP any 195.90.96.0 0.0.1.255 EQ smtp
PERMIT TCP any 195.90.96.0 0.0.1.255 EQ smtp
Actually, in a standard ACL, the address is the source.
you are right... pls ignore all my comments. damn got to go back to school:P
You syntax suggests your using a standard ACL because you are not entering a source and destination address. A previous post would have you enter the keyword 'any' which would be the destination address.
ASKER
Hi to put thiings straight -
The internal LAN is 192.168.11.0 - the email server is 192.168.11.222
There is a NAT rule redirecting port 25 to this IP address
Email is filtered by an off-site mail cleansing company and the only email addresses they will send to us are 212.50.178.128 / 255.255.255.192 and 195.90.96.0 / 255.255.254.0 therfore we only want to accept incoming SMTP session from these ranges only.
JFrederick29> your suggestion has worked
I am happy with the code fragment as follows just never knew why the following did not work initially
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP
The internal LAN is 192.168.11.0 - the email server is 192.168.11.222
There is a NAT rule redirecting port 25 to this IP address
Email is filtered by an off-site mail cleansing company and the only email addresses they will send to us are 212.50.178.128 / 255.255.255.192 and 195.90.96.0 / 255.255.254.0 therfore we only want to accept incoming SMTP session from these ranges only.
JFrederick29> your suggestion has worked
I am happy with the code fragment as follows just never knew why the following did not work initially
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP
2 permit tcp 195.90.96.0 0.0.1.255 any eq smtp (821 matches)
3 permit tcp 212.50.178.128 0.0.0.63 any eq smtp
15 deny tcp any any eq smtp (434 matches)
>PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP
You can't use the LAN address as to the outside, the destination will be the public/NAT IP address of the SMTP server.
Instead of "any", you could use your public IP address range if really desired.
You can't use the LAN address as to the outside, the destination will be the public/NAT IP address of the SMTP server.
Instead of "any", you could use your public IP address range if really desired.
ASKER
Oh I understand that explains it!
if you having PIX or ASA:
access-list acl PERMIT TCP any 195.90.96.0 255.255.254.0 EQ 23
if it is router:
access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23
you missing to specify the source initiating the smtp. when you use extend acls you need to give the source network as well. any means from everywhere.