Solved

Cisco Access list to allow POP3, IMAP and SMTP

Posted on 2009-05-20
4
5,728 Views
Last Modified: 2013-11-29
Hello,

I am in the middle of an assignment and have become a bit confused on access-lists. Take a look at my rather crude networking pic attached to get an idea of the problem.

What i need to do is allow every host on my network to access the email server at address 193.193.193.193, allowing email to be sent to and downloaded from the mail server (SMTP out and IMAP and POP3 in). This is how i've played it (i am controlling router R1 and both access lists will be placed on s0/1):

To allow SMTP to go out i've done this:

access-list 101 permit tcp any host 193.193.193.193 eq 25
 
I placed that on interface s0/1 on R1 - OUTBOUND.

to allow IMAP and POP3 in, i've done:

access-list 102 permit tcp host 193.193.193.193 any eq 110
access-list 102 permit tcp host 193.193.193.193 any eq 143

This access list is placed INBOUND on s0/1 on R1.

But this is where i'm getting confused:

1. On the outbound acces list (access-list 101), would i need to allow POP3 and IMAP to to go out? I'm getting confused because i read that IMAP and POP3 are only used to download the email from the server to the client. However i'm thinking that in order to connect to the server in the first place, this would require IMAP/POP3 (whichever is being used) as well?

2. Regarding access-list 102 - i'm worried about the placement of the port numbers. At the moment, are those two lines saying "allow packets from 193.193.193.193 to any host as long as the **source port** is IMAP or POP3", or is it saying  "allow packets from 193.193.193.193 to any host as long as the **destination port** is IMAP or POP3"?. I would  need it to refer to the former, right?

Thanks for any help.
network.JPG
0
Comment
Question by:cruz1985
  • 2
  • 2
4 Comments
 
LVL 5

Expert Comment

by:ksims1129
ID: 24437778
Technically, your making this hard on yourself. you can easily put an access list on the inbound inside interface with the following lines to accomplish what you are trying to do.

access-list 122 permit tcp any host 193.193.193.193 eq 110
access-list 122 permit tcp any host 193.193.193.193 eq 143
access-list 122 permit tcp any host 193.193.193.193 eq 25

Yes you need to allow POP3 and IMAP out. The clients initiate session to the server on ports 143 and 110. So therefore the clients need to be able to connect to the server. To answer #2 your statement is not doing anything. It saying to allow traffic sourced from 193.193.193.193 is allowed to access anything on the port 143 and 110. Since that server is not on the internal network the statements are not serving anyt purpose.
0
 

Author Comment

by:cruz1985
ID: 24438909
Ok, need some serious clarification here. Just to check, would the access-list 122, which you've drawn up, go on the interface s0/1 or the interface directly connected to my network? If i follow what your saying, you mean this, right:

int s0/1
ip access-group 122 out

And in reply to your second point, if i was to leave it at just the above, how would i filter traffic coming into the network? Surely i would need this (i.ve changed the port numbers to the other side now):

access-list 102 permit tcp host 193.193.193.193 eq 110 any
access-list 102 permit tcp host 193.193.193.193 eq 143 any

int s0/1
ip access-group 102 in

Remember, i need to filter traffic coming into the network so that only IMAP and POP3 traffic is allowed in (lets just assume for now that everything else must be blocked from the internet into my network). So i would need something like the above surely?

Apologies if i'm confusing you with this lol. Just can't quite get my head round this 100%.


0
 
LVL 5

Accepted Solution

by:
ksims1129 earned 500 total points
ID: 24440065
You can apply access-list 122 either way
int s0/1
ip access-group 122 out
 or
int fa0/0
ip access-group 122 in

I would recommend always placing access-list as close to the source as possible as this can make things complicated as your configuration grows.

For what you are trying to accomplsih access-list 102 is correct. the only thing you need to add is.

access-list 102 permit tcp host 193.193.193.193 eq 25 any

This will allow the smtp traffic flow to be succesful. TCP is a two communication. If you let it go out you also have to allow it back in to set-up that two-way conversation.
0
 

Author Comment

by:cruz1985
ID: 24442607
Ahh, got ya.

Many thanks for your help.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now