Solved

Cisco ACL

Posted on 2009-03-30
14
432 Views
Last Modified: 2012-05-06
Hi,

I need to add ACLs to allow incoming SMTP only for the following ranges,
212.50.178.128 / 255.255.255.192
195.90.96.0 /  255.255.254.0  

If I just look at the the second ACL for a monent I tried the following
PERMIT TCP 195.90.96.0 0.0.1.255 EQ SMTP
but I get % Incomplete command

So I tried
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP
but this does not work (192.168.11.0/24 is the LAN)

To get mail flow I have to use
PERMIT IP 195.90.96.0 0.0.1.255

Obviously I would like to restrict this range to SMTP only - Any ideas?








0
Comment
Question by:nmxsupport
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24017529
hi,

if you having PIX or ASA:

access-list acl PERMIT TCP any  195.90.96.0 255.255.254.0 EQ 23

if it is router:

access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23

you missing to specify the source initiating the smtp. when you use extend acls you need to give the source network as well. any means from everywhere.
 
0
 
LVL 4

Expert Comment

by:lpacker
ID: 24017580
It appears you are using a standard ACL. What you want is an extended ACL.
acces-list <id> extended .....
Extended:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1444018
Standard:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1441213
 
0
 

Author Comment

by:nmxsupport
ID: 24017823
This is already an extendedl ACL.

I tried the following
PERMIT IP 195.90.96.0 0.0.1.253 EQ 25
and got the following reply
%invalid input detected at '^' marker

Any other ideas?
Should I be able to setup an ACL specifying a range of addresses allowed to access a specific port on a host internally?



0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24017834
Use this syntax:

PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
                                                        ^^^
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018020
is it not rather
access-list acl PERMIT TCP any 195.90.96.0 0.0.1.255 EQ 23
                                           ^^^^

aren't your mail servers in the 195.90.96.0 network?

you can do
access-list acl PERMIT TCP 192.168.11.0 0.0.0.255 195.90.96.0 0.0.1.255 EQ 23

to permit your host from lan to open smtp port on the mail server int 195.90.96.0

what interface you are applying your acls and which direction? can you just post an output from
sh run | inc access

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24018053
Pretty sure the 195.90.96.0/23 servers are on the outside (incoming SMTP).

PERMIT TCP 195.90.96.0 0.0.1.255 any EQ SMTP
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018059
well i must confess i'm way too sloppy. it is of cource .... eq 25 (or SMTP). shame to me_:)
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 7

Expert Comment

by:egyptco
ID: 24018137
well I dunno ... since PERMIT IP 195.90.96.0 0.0.1.255 its working i've just translated it into extended syntaxis:
PERMIT TCP any 195.90.96.0 0.0.1.255 EQ smtp
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24018151
Actually, in a standard ACL, the address is the source.
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24018198
you are right... pls ignore all my comments. damn got to go back to school:P
0
 
LVL 4

Expert Comment

by:lpacker
ID: 24018311
You syntax suggests your using a standard ACL because you are not entering a source and destination address. A previous post would have you enter the keyword 'any'  which would be the destination address.
0
 

Author Comment

by:nmxsupport
ID: 24018326
Hi to put thiings straight -

The internal LAN is 192.168.11.0 - the email server is 192.168.11.222
There is a NAT rule redirecting port 25 to this IP address
Email is filtered by an off-site mail cleansing company and the only email addresses they will send to us are 212.50.178.128 / 255.255.255.192 and 195.90.96.0 /  255.255.254.0  therfore we only want to accept incoming SMTP session from these ranges only.

JFrederick29> your suggestion has worked
I am happy with the code fragment as follows just never knew why the following did not work initially
PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP




    2 permit tcp 195.90.96.0 0.0.1.255 any eq smtp (821 matches)

    3 permit tcp 212.50.178.128 0.0.0.63 any eq smtp

    15 deny tcp any any eq smtp (434 matches)

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24018339
>PERMIT TCP 195.90.96.0 0.0.1.255 192.168.11.0 0.0.0.255 EQ SMTP

You can't use the LAN address as to the outside, the destination will be the public/NAT IP address of the SMTP server.

Instead of "any", you could use your public IP address range if really desired.
0
 

Author Comment

by:nmxsupport
ID: 24018407
Oh I understand that explains it!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now