ACCESS CONTROL LIST

Answered Question
Mar 31st, 2009

We were having issues with our staff access to the internet that prompted the management to direct the Info Tech Department to deny some specific systems access to the internet.

To deny internet access to systems, we basically deny address translation of the affected systems in the PAT configuration access list.

Now we want to selectively permit every system in the organisation access to our company email so that staff can check their emails (not yahoomail or any of the free public email services).

I will appreciate it if I will have your inputs on how to permit just the email access while denying access to every other site on the internet, because this may not be possible from the PAT access list configuration.

Thanks as always for your inputs.

Tom

I have this problem too.
0 votes
Correct Answer by John Blakley about 7 years 8 months ago

Tom,

Are these email services external? If so, you'll need to allow nat to happen for these hosts, but you can block all of the hosts with an acl from going anywhere else. I don't know what type of service you want to use, but if you plan on allowing hotmail access or any other free provider, you'll need to get their block of addresses to allow only access to those address for the hosts that you want to allow. You would then block everything else.

1.) Allow these hosts to nat

2.) create acl to allow whatever ports (25 for instance)

ip access-list ext NOACCESS

permit tcp host 192.168.1.2 any eq 25

permit tcp host 192.168.1.3 any eq 25

deny ip host 192.168.1.2 any

deny ip host 192.168.1.3 any

permit ip host 192.168.1.0 0.0.0.255 any

deny ip any any log

The above acl will allow your 2 hosts (.2 and .3) access to smtp, but they won't be able to get anywhere else.

3.)Then you would apply this acl inbound on your inside interface:

int fa0/1

ip access-group NOACCESS in

I hope I understand what you're asking. =)

HTH,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
tomocisco Tue, 03/31/2009 - 11:03

Hi Victor,

Thanks for your input. It is well appreciated.

But my problem remains how to isolate some specific services such as e-mail services and deny some hosts access to it.

The address translation described in the article posted, will influence hosts address translation which in essence permits or denies access to the entire internet block (that is traffic to my isp). This is not what I want to achieve.

I will still appreciate your view in the light of this.

Thanks.

Tom

tomocisco Tue, 03/31/2009 - 11:04

Hi Victor,

Thanks for your input. It is well appreciated.

But my problem remains how to isolate some specific services such as e-mail services and deny some hosts access to it.

The address translation described in the article posted, will influence hosts address translation which in essence permits or denies access to the entire internet block (that is traffic to my isp). This is not what I want to achieve.

I will still appreciate your view in the light of this.

Thanks.

Tom

thotsaphon Tue, 03/31/2009 - 11:15

Tom,

Do you really want to deny all traffic but company-email? If yes,I will not allow unwanted packets to flow via the routing process and then go to the NAT process.

I can recommend you to use ACL. Please do something like this:

ip access-list extend ONLY-Email

permit tcp host eq smtp

permit tcp host eq pop3

!

int f0/0

description Inside_Internal_Lan

ip access-l ONLY-Email in

!

You may allow what you want as well.

Did I understand your question?

HTH,

Toshi

lamav Tue, 03/31/2009 - 11:26

"But my problem remains how to isolate some specific services such as e-mail services and deny some hosts access to it."

Tom, you can create ACLs that specificy the protocol, source IP address, source port number, destination IP address, and destination port number.

Your access list can deny traffic from the 10.0.0.0 network to "any" on eq POP3, for example.

access-list 110 deny ip 10.0.0.0 0.0.0.255 any eq POP3

Correct Answer
John Blakley Tue, 03/31/2009 - 11:32

Tom,

Are these email services external? If so, you'll need to allow nat to happen for these hosts, but you can block all of the hosts with an acl from going anywhere else. I don't know what type of service you want to use, but if you plan on allowing hotmail access or any other free provider, you'll need to get their block of addresses to allow only access to those address for the hosts that you want to allow. You would then block everything else.

1.) Allow these hosts to nat

2.) create acl to allow whatever ports (25 for instance)

ip access-list ext NOACCESS

permit tcp host 192.168.1.2 any eq 25

permit tcp host 192.168.1.3 any eq 25

deny ip host 192.168.1.2 any

deny ip host 192.168.1.3 any

permit ip host 192.168.1.0 0.0.0.255 any

deny ip any any log

The above acl will allow your 2 hosts (.2 and .3) access to smtp, but they won't be able to get anywhere else.

3.)Then you would apply this acl inbound on your inside interface:

int fa0/1

ip access-group NOACCESS in

I hope I understand what you're asking. =)

HTH,

John

tomocisco Thu, 04/02/2009 - 01:45

Hi John,

Thanks for you inputs in helping me.

I tried your suggestion but still no success.

Using the acl statement you suggested, I applied it to some specific systems, the result was that those systems were not able to access the internet or any email service.

Can you please give me a specific suggestion, let say I want a system to access just Yahoo mail, how to configure the acl.

To access Yahoo mail for instance, I will need to get to www.yahoo.com, which means the acl statement will have to permit web access (www or port 80),

Do you understand my line of reasoning?

In the acl statements you suggested, we have permit statement for smtp (port 25), can the host reach smtp without first accessing the site hosting the email (e.g www.yahoo.com). I felt that may be why the host could not access yahoo mail or other mail using the suggested configurations.

please your input is well appreciated.

Thanks

Tom

John Blakley Thu, 04/02/2009 - 07:11

Tom,

If you're wanting to allow people to certain sites and not others, it's going to require a lot of intervention on your part to find the ip addresses that belong to yahoo. You can use nslookup to find those addresses and then use the same methodology for allowing access and then blocking access to everything else.

Using nslookup, I found:

Non-authoritative answer:

Name: login.lga1.b.yahoo.com

Address: 209.191.92.114

Aliases: mail.yahoo.com, login.yahoo.com, login-global.lgg1.b.yahoo.com

You may be able to set your acl to allow access outbound to the bolded address above and then deny everything else after:

permit tcp internal-addresses internal-mask 209.191.92.114 eq 80

deny tcp internal-address internal-mask any eq 80

permit tcp any any

HTH,

John

Actions

This Discussion