03-28-2007 10:14 AM - edited 03-11-2019 02:53 AM
Hello. I am trying to build a reflexive acl on a 7206 router (Version 12.3(17)) to help secure email without interrupting
any other services, especially ftp. Here is what I have so far:
ip access-list extended internal-smtp
permit tcp 192.168.x.y any host reflect smtp-racl
permit ip any any
ip access-list extended external-acl
<other acl statements>
evaluate smtp-racl
permit tcp any host 216.aaa.bbb.ccc eq smtp
permit tcp any host 216.aaa.bbb.ccc eq www
permit tcp any host 216.aaa.bbb.ccc eq 443
<other acl statements>
deny ip any any
interface serial01
ip access-group internal-smtp out
ip access-group external-acl in
IP addresses refer to inside local and outside global of email server.
Is this going to be effective? Is there a configuration that would be more effective? We do not have CBAC capabilities. Thanks in advance.
03-28-2007 12:22 PM
Hi
Your config needs some slight modifications. I assume you want to create a reflexive access list to track all tcp traffic, not just smtp, originated from the inside (trusted) network. The following config would cause the router create a temporary access list entry for all tcp originated from the inside network. The config that you have in there now would only allow create a temporary ACE for the SMTP traffic defined in your first statement in the ACL named smtp-racl and all other traffic would be dropped on it ways back.
If you have a different requirement please clarify that..
ip access-list extended internal-smtp
permit tcp any any reflect smtp-racl
ip access-list extended external-acl
permit tcp any host 216.aaa.bbb.ccc eq smtp
permit tcp any host 216.aaa.bbb.ccc eq www
permit tcp any host 216.aaa.bbb.ccc eq 443
evaluate smtp-racl
HTH
Sundar
03-28-2007 12:48 PM
Sundar - thanks for your response.
Your assumption is correct. However, I am not certain how FTP traffic, both inbound and outbound, would be affected by your configuration. Please advise whether FTP would or would not be affected. Thanks.
03-28-2007 12:58 PM
Your outbound, from inside to outside, FTP traffic would work fine as the reflexive access list will create a temporary access list entry when the first ftp packets in the session leaves the router and the return traffic will be allowed back in.
However, for traffic originated from outside to inside you need to explicitly allow the traffic on your inbound ACL and outbound ACL. Adding an entry each to the ACL(s) should address your concern.
ip access-list extended external-acl
permit tcp
ip access-list extended internal-smtp
permit ip any any
HTH
Sundar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide