specify outside IP address access

Unanswered Question
Sep 28th, 2008

cisco 2651XM router

IOS = C2600-ADVENTERPRISEK9-M, Version 12.4(2)T

adsl wic card fitted - Dialer0

I'm using one of my PC's as a mail server and for security I was wondering if there's a way to configure the cisco firewall to only allow incoming requests from IP addresses I specify. The IP's in question will be out there on the internet, not on my LAN. All other IP addresses would be blocked.

If the adventerprise IOS I have loaded will not do this I also have the c2600-advsecurityk9-mz.124-9.T1.bin IOS.

Thanks for any pointers.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marwan ALshawi Sun, 09/28/2008 - 18:51

u mean u want normal extended ACL that permit spesified source IPs to hit ur public IP ?

tonyspcrepairs Mon, 09/29/2008 - 02:12

some outside IP's will need inward access through my router to the mail server machine on my LAN. I would like (if possible) to only allow IP's I've specified to have access in through the router. The purpose of this would be as a barrier to spammers trying to hijack my mail server.

Marwan ALshawi Mon, 09/29/2008 - 02:18

do u have any NATing on ur outside router interface?

do u have a public IP that maped or nated to the mailserverr inorder to make it eachable from the internet ?

tonyspcrepairs Mon, 09/29/2008 - 05:32

I think the answer to your 2nd question is yes.

with my limited knowledge I can say:

1) the NATing I'm aware of is from Dialer0 to F0/0 and F0/1.

2) ports 25, 110 and 80 are all forwarded from Dialer0 to the LAN IP of the mail server machine on F0/1. Ports 25 and 110 are for mail, and 80 is for web hosting.

Attached is my running config if it explains more. I have two LANs coming from the cisco router. My working LAN is on F0/0 on 172.16.1.xx and the mail server machine is the only machine on port F0/1 on 192.168.1.xx. I did this to provide separation of my LAN from the mail server.

Marwan ALshawi Mon, 09/29/2008 - 05:50

in ur dialer0 interface u have the following permited

access-list 105 permit tcp any any eq pop3

access-list 105 permit tcp any any eq smtp

access-list 105 permit tcp any any eq www

access-list 105 permit udp any any eq 5558

access-list 105 permit tcp any any eq 26578

from any source

u need to make change to this ACL that allow only source address coming to to the dialer interface on the required ports in ur static nat u have maped only port 80 and 25

u can use them

and deny others if this the case

becare ful be cuase u have ACL relate to VPN

included with ACL 105

can u tell me why u need those lines:

access-list 105 permit ip host 172.16.1.29 172.16.0.0 0.0.255.255

access-list 105 permit ip host 172.16.1.28 172.16.0.0 0.0.255.255

access-list 105 permit ip host 172.16.1.27 172.16.0.0 0.0.255.255

access-list 105 permit ip host 172.16.1.26 172.16.0.0 0.0.255.255

access-list 105 permit ip host 172.16.1.25 172.16.0.0 0.0.255.255

access-list 105 permit ip host 172.16.1.24 172.16.0.0 0.0.255.255

access-list 105 permit ip host 172.16.1.23 172.16.0.0 0.0.255.255

access-list 105 permit ip host 172.16.1.22 172.16.0.0 0.0.255.255

access-list 105 permit ip host 172.16.1.21 172.16.0.0 0.0.255.255

access-list 105 permit ip host 172.16.1.20 172.16.0.0 0.0.255.255

if u wanna for example allow a user from internet has public ip 1.1.1.1 and ur dialer inter public ip is 2.2.2.2

do the following

access-list 105 permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

access-list 105 permit tcp host 1.1.1.1 host 2.2.2.2 eq 110

and so on

but if u add the ACL like this to the ACL 105 wont work becuae it will be addedd to the end of the ACL and u will have deny statements before this allow then traffic will be blocked make new ACL urs not big liek ACL 106 start with permit then deny

and keep in mind if u make ACL with lines permiting things and u every thing not permited by the ACL will be blocked because in each ACL there imlicit deny statment in the end

good luck

if helpful Rate

tonyspcrepairs Mon, 09/29/2008 - 09:55

ok thanks for your response. I tried your commands:

access-list 105 permit tcp host 1.1.1.1 host 2.2.2.2 eq 25

and they worked. Thankyou very much. Only problem is, peoples IP addresses change all the time so maybe my idea wasn't that good.

Actions

This Discussion