Cisco Access list to allow POP3, IMAP and SMTP

Hello,

I am in the middle of an assignment and have become a bit confused on access-lists. Take a look at my rather crude networking pic attached to get an idea of the problem.

What i need to do is allow every host on my network to access the email server at address 193.193.193.193, allowing email to be sent to and downloaded from the mail server (SMTP out and IMAP and POP3 in). This is how i've played it (i am controlling router R1 and both access lists will be placed on s0/1):

To allow SMTP to go out i've done this:

access-list 101 permit tcp any host 193.193.193.193 eq 25
 
I placed that on interface s0/1 on R1 - OUTBOUND.

to allow IMAP and POP3 in, i've done:

access-list 102 permit tcp host 193.193.193.193 any eq 110
access-list 102 permit tcp host 193.193.193.193 any eq 143

This access list is placed INBOUND on s0/1 on R1.

But this is where i'm getting confused:

1. On the outbound acces list (access-list 101), would i need to allow POP3 and IMAP to to go out? I'm getting confused because i read that IMAP and POP3 are only used to download the email from the server to the client. However i'm thinking that in order to connect to the server in the first place, this would require IMAP/POP3 (whichever is being used) as well?

2. Regarding access-list 102 - i'm worried about the placement of the port numbers. At the moment, are those two lines saying "allow packets from 193.193.193.193 to any host as long as the **source port** is IMAP or POP3", or is it saying  "allow packets from 193.193.193.193 to any host as long as the **destination port** is IMAP or POP3"?. I would  need it to refer to the former, right?

Thanks for any help.
network.JPG
cruz1985Asked:
Who is Participating?
 
ksims1129Connect With a Mentor Commented:
You can apply access-list 122 either way
int s0/1
ip access-group 122 out
 or
int fa0/0
ip access-group 122 in

I would recommend always placing access-list as close to the source as possible as this can make things complicated as your configuration grows.

For what you are trying to accomplsih access-list 102 is correct. the only thing you need to add is.

access-list 102 permit tcp host 193.193.193.193 eq 25 any

This will allow the smtp traffic flow to be succesful. TCP is a two communication. If you let it go out you also have to allow it back in to set-up that two-way conversation.
0
 
ksims1129Commented:
Technically, your making this hard on yourself. you can easily put an access list on the inbound inside interface with the following lines to accomplish what you are trying to do.

access-list 122 permit tcp any host 193.193.193.193 eq 110
access-list 122 permit tcp any host 193.193.193.193 eq 143
access-list 122 permit tcp any host 193.193.193.193 eq 25

Yes you need to allow POP3 and IMAP out. The clients initiate session to the server on ports 143 and 110. So therefore the clients need to be able to connect to the server. To answer #2 your statement is not doing anything. It saying to allow traffic sourced from 193.193.193.193 is allowed to access anything on the port 143 and 110. Since that server is not on the internal network the statements are not serving anyt purpose.
0
 
cruz1985Author Commented:
Ok, need some serious clarification here. Just to check, would the access-list 122, which you've drawn up, go on the interface s0/1 or the interface directly connected to my network? If i follow what your saying, you mean this, right:

int s0/1
ip access-group 122 out

And in reply to your second point, if i was to leave it at just the above, how would i filter traffic coming into the network? Surely i would need this (i.ve changed the port numbers to the other side now):

access-list 102 permit tcp host 193.193.193.193 eq 110 any
access-list 102 permit tcp host 193.193.193.193 eq 143 any

int s0/1
ip access-group 102 in

Remember, i need to filter traffic coming into the network so that only IMAP and POP3 traffic is allowed in (lets just assume for now that everything else must be blocked from the internet into my network). So i would need something like the above surely?

Apologies if i'm confusing you with this lol. Just can't quite get my head round this 100%.


0
 
cruz1985Author Commented:
Ahh, got ya.

Many thanks for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.