09-15-2007 04:37 AM - edited 03-03-2019 06:46 PM
Hi guys,
Just wondering if someone can please help me with a configuration issue on a 857w router?
I would like to only accept email traffic from two public IP addresses to the internal mail server. I have configured "ip nat inside source... " command which works fine, however is there any way to create an access list on the outside interface? Currently "any" connection is possible to the mail server. I have tried with the access-group command in Dialer0 however as soon as it is applied, I loose all outbound connections from my LAN. The ADSL connection is using Dialer0. I have pasted the relevant config below.
Thanks for any help you can provide.
Regards
Craig
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
< omitted config >
!
interface Vlan1
description LAN
ip address 192.168.x.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description ADSL
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname ********
ppp chap password *******
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.15.12 25 interface Dialer0 25
!
access-list 101 permit ip host 192.168.15.0 any
access-list 101 permit ip any any
Solved! Go to Solution.
09-15-2007 05:12 AM
Hi,
the correct acl would be:
permit tcp host
permit tcp host
deny ip any host
permit ip any any
hope this helps, please rate post if it does!
09-15-2007 04:41 AM
Hello,
can you explain again what exactly you are trying to limit and which access-list have you tried ?
09-15-2007 04:48 AM
Gday,
All our email comes from two of our anti spam appliances which have public IP addresses. I would like our email to only accept smtp traffic from the two anti spam appliances.
The anti spam servers are offsite in a data centre, all our MX records point to the anti spam appliances which then forward to our public IP address.
We are trying to confgiure the 857 to only accept smtp traffic from those two appliances via their public IPs.
I have attempted to create an access list that went something like "access-list 101 permit tcp host x.x.x.x host
When we use the "ip access-group 101 in" on the dialer0 interface, we loose all outbound access from the LAN.
Thanks again for your help
Regards
Craig
09-15-2007 05:12 AM
Hi,
the correct acl would be:
permit tcp host
permit tcp host
deny ip any host
permit ip any any
hope this helps, please rate post if it does!
09-15-2007 02:58 PM
Good morning,
Thanks for your reply. The access list you have given is basically what I originally had. However, how can I apply this to the interface?
As can be seen in my original post (with config), I have an access list for traffic from the LAN to the internet. The access list is applied using the "ip access-group 101 in" on the LAN interface.
How does the same apply to inbound traffic from the internet through dialer0 interface, as trying to apply the access-group command to the dialer0 interface causes all traffic to stop?
Thanks again for your help
regards
Craig
09-15-2007 03:44 PM
Craig,
You need to create a different ACL since 101 is used for NAT and perhaps that's the reason is not working.
Follow Paolo's advise on the ACL syntax. Use ACL 102 for this task. Apply it on the dialer interface.
ip access-group 102 in
should do it.
09-15-2007 03:57 PM
Good morning,
Thanks for your reply. I have actaully used a different access list / group for the dialer0 interface. However, when applied to the dialer0 interface, I loose all connectivity to the internet. Removing the "ip access-gorup
Please see post below. Post below is using ACL 120. Internet connectivity is not available using this config.
I have configured numerous PIX, and while the commands are slightly different, the idea is still the same. However, I seem to be missing something with regards to the dialer0 config ???? :-)
Thanks again for your help
interface Vlan1
description LAN
ip address 192.168.15.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description ADSL
ip address negotiated
ip access-group 120 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname *****
ppp chap password 0 ******
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static tcp 192.168.15.12 25 interface Dialer0 25
!
access-list 101 permit ip host 192.168.15.0 any
access-list 101 permit ip any any
access-list 120 permit tcp host x.x.x.x host x.x.x.x eq smtp
access-list 120 permit tcp host x.x.x.x host x.x.x.x eq smtp
09-15-2007 05:11 PM
If you carefully see Paolo's reply, you are missing two vital entries on that ACL.
Your ACL should look like this:
access-list 120 permit tcp host x.x.x.x host x.x.x.x eq smtp
access-list 120 permit tcp host x.x.x.x host x.x.x.x eq smtp
access-list 120 deny tcp any any eq smtp
access-list 120 permit ip any any
The last 2 entries will deny smtp from other sources and you need to allow ip any any, else you will get an implicit deny all.
09-15-2007 05:45 PM
Sorry guys, my bad. I didn't read those last two line.
Thanks very much for the help. My apologies for dragging it out :-) should have read Paolos's config more closely.
Thanks again guys,
Regards
Craig
09-15-2007 06:33 PM
Thanks for the nice rating and good luck!
I will use big lettering to empathize important points next time :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: