We were having issues with our staff access to the internet that prompted the management to direct the Info Tech Department to deny some specific systems access to the internet.
To deny internet access to systems, we basically deny address translation of the affected systems in the PAT configuration access list.
Now we want to selectively permit every system in the organisation access to our company email so that staff can check their emails (not yahoomail or any of the free public email services).
I will appreciate it if I will have your inputs on how to permit just the email access while denying access to every other site on the internet, because this may not be possible from the PAT access list configuration.
Thanks as always for your inputs.
Are these email services external? If so, you'll need to allow nat to happen for these hosts, but you can block all of the hosts with an acl from going anywhere else. I don't know what type of service you want to use, but if you plan on allowing hotmail access or any other free provider, you'll need to get their block of addresses to allow only access to those address for the hosts that you want to allow. You would then block everything else.
1.) Allow these hosts to nat
2.) create acl to allow whatever ports (25 for instance)
ip access-list ext NOACCESS
permit tcp host 192.168.1.2 any eq 25
permit tcp host 192.168.1.3 any eq 25
deny ip host 192.168.1.2 any
deny ip host 192.168.1.3 any
permit ip host 192.168.1.0 0.0.0.255 any
deny ip any any log
The above acl will allow your 2 hosts (.2 and .3) access to smtp, but they won't be able to get anywhere else.
3.)Then you would apply this acl inbound on your inside interface:
ip access-group NOACCESS in
I hope I understand what you're asking. =)