?
Solved

Cisco Access list to allow POP3, IMAP and SMTP

Posted on 2009-05-20
4
Medium Priority
?
6,318 Views
Last Modified: 2013-11-29
Hello,

I am in the middle of an assignment and have become a bit confused on access-lists. Take a look at my rather crude networking pic attached to get an idea of the problem.

What i need to do is allow every host on my network to access the email server at address 193.193.193.193, allowing email to be sent to and downloaded from the mail server (SMTP out and IMAP and POP3 in). This is how i've played it (i am controlling router R1 and both access lists will be placed on s0/1):

To allow SMTP to go out i've done this:

access-list 101 permit tcp any host 193.193.193.193 eq 25
 
I placed that on interface s0/1 on R1 - OUTBOUND.

to allow IMAP and POP3 in, i've done:

access-list 102 permit tcp host 193.193.193.193 any eq 110
access-list 102 permit tcp host 193.193.193.193 any eq 143

This access list is placed INBOUND on s0/1 on R1.

But this is where i'm getting confused:

1. On the outbound acces list (access-list 101), would i need to allow POP3 and IMAP to to go out? I'm getting confused because i read that IMAP and POP3 are only used to download the email from the server to the client. However i'm thinking that in order to connect to the server in the first place, this would require IMAP/POP3 (whichever is being used) as well?

2. Regarding access-list 102 - i'm worried about the placement of the port numbers. At the moment, are those two lines saying "allow packets from 193.193.193.193 to any host as long as the **source port** is IMAP or POP3", or is it saying  "allow packets from 193.193.193.193 to any host as long as the **destination port** is IMAP or POP3"?. I would  need it to refer to the former, right?

Thanks for any help.
network.JPG
0
Comment
Question by:cruz1985
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 5

Expert Comment

by:ksims1129
ID: 24437778
Technically, your making this hard on yourself. you can easily put an access list on the inbound inside interface with the following lines to accomplish what you are trying to do.

access-list 122 permit tcp any host 193.193.193.193 eq 110
access-list 122 permit tcp any host 193.193.193.193 eq 143
access-list 122 permit tcp any host 193.193.193.193 eq 25

Yes you need to allow POP3 and IMAP out. The clients initiate session to the server on ports 143 and 110. So therefore the clients need to be able to connect to the server. To answer #2 your statement is not doing anything. It saying to allow traffic sourced from 193.193.193.193 is allowed to access anything on the port 143 and 110. Since that server is not on the internal network the statements are not serving anyt purpose.
0
 

Author Comment

by:cruz1985
ID: 24438909
Ok, need some serious clarification here. Just to check, would the access-list 122, which you've drawn up, go on the interface s0/1 or the interface directly connected to my network? If i follow what your saying, you mean this, right:

int s0/1
ip access-group 122 out

And in reply to your second point, if i was to leave it at just the above, how would i filter traffic coming into the network? Surely i would need this (i.ve changed the port numbers to the other side now):

access-list 102 permit tcp host 193.193.193.193 eq 110 any
access-list 102 permit tcp host 193.193.193.193 eq 143 any

int s0/1
ip access-group 102 in

Remember, i need to filter traffic coming into the network so that only IMAP and POP3 traffic is allowed in (lets just assume for now that everything else must be blocked from the internet into my network). So i would need something like the above surely?

Apologies if i'm confusing you with this lol. Just can't quite get my head round this 100%.


0
 
LVL 5

Accepted Solution

by:
ksims1129 earned 2000 total points
ID: 24440065
You can apply access-list 122 either way
int s0/1
ip access-group 122 out
 or
int fa0/0
ip access-group 122 in

I would recommend always placing access-list as close to the source as possible as this can make things complicated as your configuration grows.

For what you are trying to accomplsih access-list 102 is correct. the only thing you need to add is.

access-list 102 permit tcp host 193.193.193.193 eq 25 any

This will allow the smtp traffic flow to be succesful. TCP is a two communication. If you let it go out you also have to allow it back in to set-up that two-way conversation.
0
 

Author Comment

by:cruz1985
ID: 24442607
Ahh, got ya.

Many thanks for your help.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month14 days, 7 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question