Cisco Access list to allow POP3, IMAP and SMTP

Posted on 2009-05-20
Medium Priority
Last Modified: 2013-11-29

I am in the middle of an assignment and have become a bit confused on access-lists. Take a look at my rather crude networking pic attached to get an idea of the problem.

What i need to do is allow every host on my network to access the email server at address, allowing email to be sent to and downloaded from the mail server (SMTP out and IMAP and POP3 in). This is how i've played it (i am controlling router R1 and both access lists will be placed on s0/1):

To allow SMTP to go out i've done this:

access-list 101 permit tcp any host eq 25
I placed that on interface s0/1 on R1 - OUTBOUND.

to allow IMAP and POP3 in, i've done:

access-list 102 permit tcp host any eq 110
access-list 102 permit tcp host any eq 143

This access list is placed INBOUND on s0/1 on R1.

But this is where i'm getting confused:

1. On the outbound acces list (access-list 101), would i need to allow POP3 and IMAP to to go out? I'm getting confused because i read that IMAP and POP3 are only used to download the email from the server to the client. However i'm thinking that in order to connect to the server in the first place, this would require IMAP/POP3 (whichever is being used) as well?

2. Regarding access-list 102 - i'm worried about the placement of the port numbers. At the moment, are those two lines saying "allow packets from to any host as long as the **source port** is IMAP or POP3", or is it saying  "allow packets from to any host as long as the **destination port** is IMAP or POP3"?. I would  need it to refer to the former, right?

Thanks for any help.
Question by:cruz1985
  • 2
  • 2

Expert Comment

ID: 24437778
Technically, your making this hard on yourself. you can easily put an access list on the inbound inside interface with the following lines to accomplish what you are trying to do.

access-list 122 permit tcp any host eq 110
access-list 122 permit tcp any host eq 143
access-list 122 permit tcp any host eq 25

Yes you need to allow POP3 and IMAP out. The clients initiate session to the server on ports 143 and 110. So therefore the clients need to be able to connect to the server. To answer #2 your statement is not doing anything. It saying to allow traffic sourced from is allowed to access anything on the port 143 and 110. Since that server is not on the internal network the statements are not serving anyt purpose.

Author Comment

ID: 24438909
Ok, need some serious clarification here. Just to check, would the access-list 122, which you've drawn up, go on the interface s0/1 or the interface directly connected to my network? If i follow what your saying, you mean this, right:

int s0/1
ip access-group 122 out

And in reply to your second point, if i was to leave it at just the above, how would i filter traffic coming into the network? Surely i would need this (i.ve changed the port numbers to the other side now):

access-list 102 permit tcp host eq 110 any
access-list 102 permit tcp host eq 143 any

int s0/1
ip access-group 102 in

Remember, i need to filter traffic coming into the network so that only IMAP and POP3 traffic is allowed in (lets just assume for now that everything else must be blocked from the internet into my network). So i would need something like the above surely?

Apologies if i'm confusing you with this lol. Just can't quite get my head round this 100%.


Accepted Solution

ksims1129 earned 2000 total points
ID: 24440065
You can apply access-list 122 either way
int s0/1
ip access-group 122 out
int fa0/0
ip access-group 122 in

I would recommend always placing access-list as close to the source as possible as this can make things complicated as your configuration grows.

For what you are trying to accomplsih access-list 102 is correct. the only thing you need to add is.

access-list 102 permit tcp host eq 25 any

This will allow the smtp traffic flow to be succesful. TCP is a two communication. If you let it go out you also have to allow it back in to set-up that two-way conversation.

Author Comment

ID: 24442607
Ahh, got ya.

Many thanks for your help.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
We aren’t perfect, just like everyone else.  Check out the email errors our community caught and learn the top errors every email marketer should avoid.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question