03-31-2009 06:56 AM - edited 03-04-2019 04:10 AM
We were having issues with our staff access to the internet that prompted the management to direct the Info Tech Department to deny some specific systems access to the internet.
To deny internet access to systems, we basically deny address translation of the affected systems in the PAT configuration access list.
Now we want to selectively permit every system in the organisation access to our company email so that staff can check their emails (not yahoomail or any of the free public email services).
I will appreciate it if I will have your inputs on how to permit just the email access while denying access to every other site on the internet, because this may not be possible from the PAT access list configuration.
Thanks as always for your inputs.
Tom
Solved! Go to Solution.
03-31-2009 11:32 AM
Tom,
Are these email services external? If so, you'll need to allow nat to happen for these hosts, but you can block all of the hosts with an acl from going anywhere else. I don't know what type of service you want to use, but if you plan on allowing hotmail access or any other free provider, you'll need to get their block of addresses to allow only access to those address for the hosts that you want to allow. You would then block everything else.
1.) Allow these hosts to nat
2.) create acl to allow whatever ports (25 for instance)
ip access-list ext NOACCESS
permit tcp host 192.168.1.2 any eq 25
permit tcp host 192.168.1.3 any eq 25
deny ip host 192.168.1.2 any
deny ip host 192.168.1.3 any
permit ip host 192.168.1.0 0.0.0.255 any
deny ip any any log
The above acl will allow your 2 hosts (.2 and .3) access to smtp, but they won't be able to get anywhere else.
3.)Then you would apply this acl inbound on your inside interface:
int fa0/1
ip access-group NOACCESS in
I hope I understand what you're asking. =)
HTH,
John
03-31-2009 07:08 AM
Hi:
Configure a route map that calls an extended access list that permits the flows you want and denies the others.
That route map will be appended to the NAT statement.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#routemap
HTH
Victor
03-31-2009 11:03 AM
Hi Victor,
Thanks for your input. It is well appreciated.
But my problem remains how to isolate some specific services such as e-mail services and deny some hosts access to it.
The address translation described in the article posted, will influence hosts address translation which in essence permits or denies access to the entire internet block (that is traffic to my isp). This is not what I want to achieve.
I will still appreciate your view in the light of this.
Thanks.
Tom
03-31-2009 11:04 AM
Hi Victor,
Thanks for your input. It is well appreciated.
But my problem remains how to isolate some specific services such as e-mail services and deny some hosts access to it.
The address translation described in the article posted, will influence hosts address translation which in essence permits or denies access to the entire internet block (that is traffic to my isp). This is not what I want to achieve.
I will still appreciate your view in the light of this.
Thanks.
Tom
03-31-2009 11:15 AM
Tom,
Do you really want to deny all traffic but company-email? If yes,I will not allow unwanted packets to flow via the routing process and then go to the NAT process.
I can recommend you to use ACL. Please do something like this:
ip access-list extend ONLY-Email
permit tcp
permit tcp
!
int f0/0
description Inside_Internal_Lan
ip access-l ONLY-Email in
!
You may allow what you want as well.
Did I understand your question?
HTH,
Toshi
03-31-2009 11:26 AM
"But my problem remains how to isolate some specific services such as e-mail services and deny some hosts access to it."
Tom, you can create ACLs that specificy the protocol, source IP address, source port number, destination IP address, and destination port number.
Your access list can deny traffic from the 10.0.0.0 network to "any" on eq POP3, for example.
access-list 110 deny ip 10.0.0.0 0.0.0.255 any eq POP3
03-31-2009 11:32 AM
Tom,
Are these email services external? If so, you'll need to allow nat to happen for these hosts, but you can block all of the hosts with an acl from going anywhere else. I don't know what type of service you want to use, but if you plan on allowing hotmail access or any other free provider, you'll need to get their block of addresses to allow only access to those address for the hosts that you want to allow. You would then block everything else.
1.) Allow these hosts to nat
2.) create acl to allow whatever ports (25 for instance)
ip access-list ext NOACCESS
permit tcp host 192.168.1.2 any eq 25
permit tcp host 192.168.1.3 any eq 25
deny ip host 192.168.1.2 any
deny ip host 192.168.1.3 any
permit ip host 192.168.1.0 0.0.0.255 any
deny ip any any log
The above acl will allow your 2 hosts (.2 and .3) access to smtp, but they won't be able to get anywhere else.
3.)Then you would apply this acl inbound on your inside interface:
int fa0/1
ip access-group NOACCESS in
I hope I understand what you're asking. =)
HTH,
John
04-01-2009 10:08 AM
Hi,
Thanks John.
I will try this and get back to you.
Tom
04-02-2009 01:45 AM
Hi John,
Thanks for you inputs in helping me.
I tried your suggestion but still no success.
Using the acl statement you suggested, I applied it to some specific systems, the result was that those systems were not able to access the internet or any email service.
Can you please give me a specific suggestion, let say I want a system to access just Yahoo mail, how to configure the acl.
To access Yahoo mail for instance, I will need to get to www.yahoo.com, which means the acl statement will have to permit web access (www or port 80),
Do you understand my line of reasoning?
In the acl statements you suggested, we have permit statement for smtp (port 25), can the host reach smtp without first accessing the site hosting the email (e.g www.yahoo.com). I felt that may be why the host could not access yahoo mail or other mail using the suggested configurations.
please your input is well appreciated.
Thanks
Tom
04-02-2009 07:11 AM
Tom,
If you're wanting to allow people to certain sites and not others, it's going to require a lot of intervention on your part to find the ip addresses that belong to yahoo. You can use nslookup to find those addresses and then use the same methodology for allowing access and then blocking access to everything else.
Using nslookup, I found:
Non-authoritative answer:
Name: login.lga1.b.yahoo.com
Address: 209.191.92.114
Aliases: mail.yahoo.com, login.yahoo.com, login-global.lgg1.b.yahoo.com
You may be able to set your acl to allow access outbound to the bolded address above and then deny everything else after:
permit tcp internal-addresses internal-mask 209.191.92.114 eq 80
deny tcp internal-address internal-mask any eq 80
permit tcp any any
HTH,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide