Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ACL

Posted on 2009-03-30
14
Medium Priority
?
440 Views
Last Modified: 2012-05-06
Hi,

I need to add ACLs to allow incoming SMTP only for the following ranges,
212.50.178.128 / 255.255.255.192
195.90.96.0 /  255.255.254.0  

If I just look at the the second ACL for a monent I tried the following
PERMIT TCP 195.90.96.0 0.0.1.255 EQ SMTP
but I get % Incomplete command

So I tried
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP
but this does not work (192.168.11.0/24 is the LAN)

To get mail flow I have to use
PERMIT IP 195.90.96.0 0.0.1.255

Obviously I would like to restrict this range to SMTP only - Any ideas?








0
Comment
Question by:nmxsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24017529
hi,

if you having PIX or ASA:

access-list acl PERMIT TCP any  195.90.96.0 255.255.254.0 EQ 23

if it is router:

access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23

you missing to specify the source initiating the smtp. when you use extend acls you need to give the source network as well. any means from everywhere.
 
0
 
LVL 4

Expert Comment

by:lpacker
ID: 24017580
It appears you are using a standard ACL. What you want is an extended ACL.
acces-list <id> extended .....
Extended:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1444018
Standard:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1441213
 
0
 

Author Comment

by:nmxsupport
ID: 24017823
This is already an extendedl ACL.

I tried the following
PERMIT IP 195.90.96.0 0.0.1.253 EQ 25
and got the following reply
%invalid input detected at '^' marker

Any other ideas?
Should I be able to setup an ACL specifying a range of addresses allowed to access a specific port on a host internally?



0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24017834
Use this syntax:

PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
                                                        ^^^
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018020
is it not rather
access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23
                                           ^^^^

aren't your mail servers in the 195.90.96.0 network?

you can do
access-list acl PERMIT TCP 192.168.11.0 0.0.0.255 195.90.96.0 0.0.1.255 EQ 23

to permit your host from lan to open smtp port on the mail server int 195.90.96.0

what interface you are applying your acls and which direction? can you just post an output from
sh run | inc access

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24018053
Pretty sure the 195.90.96.0/23 servers are on the outside (incoming SMTP).

PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018059
well i must confess i'm way too sloppy. it is of cource .... eq 25 (or SMTP). shame to me_:)
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018137
well I dunno ... since PERMIT IP 195.90.96.0 0.0.1.255 its working i've just translated it into extended syntaxis:
PERMIT TCP any 195.90.96.0 0.0.1.255 EQ smtp
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24018151
Actually, in a standard ACL, the address is the source.
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018198
you are right... pls ignore all my comments. damn got to go back to school:P
0
 
LVL 4

Expert Comment

by:lpacker
ID: 24018311
You syntax suggests your using a standard ACL because you are not entering a source and destination address. A previous post would have you enter the keyword 'any'  which would be the destination address.
0
 

Author Comment

by:nmxsupport
ID: 24018326
Hi to put thiings straight -

The internal LAN is 192.168.11.0 - the email server is 192.168.11.222
There is a NAT rule redirecting port 25 to this IP address
Email is filtered by an off-site mail cleansing company and the only email addresses they will send to us are 212.50.178.128 / 255.255.255.192 and 195.90.96.0 /  255.255.254.0  therfore we only want to accept incoming SMTP session from these ranges only.

JFrederick29> your suggestion has worked
I am happy with the code fragment as follows just never knew why the following did not work initially
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP



    2 permit tcp 195.90.96.0 0.0.1.255 any eq smtp (821 matches)
    3 permit tcp 212.50.178.128 0.0.0.63 any eq smtp
    15 deny tcp any any eq smtp (434 matches)

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24018339
>PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP

You can't use the LAN address as to the outside, the destination will be the public/NAT IP address of the SMTP server.

Instead of "any", you could use your public IP address range if really desired.
0
 

Author Comment

by:nmxsupport
ID: 24018407
Oh I understand that explains it!
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question