cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
562
Views
0
Helpful
9
Replies

ACCESS CONTROL LIST

tomocisco
Level 1
Level 1

We were having issues with our staff access to the internet that prompted the management to direct the Info Tech Department to deny some specific systems access to the internet.

To deny internet access to systems, we basically deny address translation of the affected systems in the PAT configuration access list.

Now we want to selectively permit every system in the organisation access to our company email so that staff can check their emails (not yahoomail or any of the free public email services).

I will appreciate it if I will have your inputs on how to permit just the email access while denying access to every other site on the internet, because this may not be possible from the PAT access list configuration.

Thanks as always for your inputs.

Tom

1 Accepted Solution

Accepted Solutions

Tom,

Are these email services external? If so, you'll need to allow nat to happen for these hosts, but you can block all of the hosts with an acl from going anywhere else. I don't know what type of service you want to use, but if you plan on allowing hotmail access or any other free provider, you'll need to get their block of addresses to allow only access to those address for the hosts that you want to allow. You would then block everything else.

1.) Allow these hosts to nat

2.) create acl to allow whatever ports (25 for instance)

ip access-list ext NOACCESS

permit tcp host 192.168.1.2 any eq 25

permit tcp host 192.168.1.3 any eq 25

deny ip host 192.168.1.2 any

deny ip host 192.168.1.3 any

permit ip host 192.168.1.0 0.0.0.255 any

deny ip any any log

The above acl will allow your 2 hosts (.2 and .3) access to smtp, but they won't be able to get anywhere else.

3.)Then you would apply this acl inbound on your inside interface:

int fa0/1

ip access-group NOACCESS in

I hope I understand what you're asking. =)

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

9 Replies 9

lamav
Level 8
Level 8

Hi:

Configure a route map that calls an extended access list that permits the flows you want and denies the others.

That route map will be appended to the NAT statement.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#routemap

HTH

Victor

Hi Victor,

Thanks for your input. It is well appreciated.

But my problem remains how to isolate some specific services such as e-mail services and deny some hosts access to it.

The address translation described in the article posted, will influence hosts address translation which in essence permits or denies access to the entire internet block (that is traffic to my isp). This is not what I want to achieve.

I will still appreciate your view in the light of this.

Thanks.

Tom

Hi Victor,

Thanks for your input. It is well appreciated.

But my problem remains how to isolate some specific services such as e-mail services and deny some hosts access to it.

The address translation described in the article posted, will influence hosts address translation which in essence permits or denies access to the entire internet block (that is traffic to my isp). This is not what I want to achieve.

I will still appreciate your view in the light of this.

Thanks.

Tom

Tom,

Do you really want to deny all traffic but company-email? If yes,I will not allow unwanted packets to flow via the routing process and then go to the NAT process.

I can recommend you to use ACL. Please do something like this:

ip access-list extend ONLY-Email

permit tcp host eq smtp

permit tcp host eq pop3

!

int f0/0

description Inside_Internal_Lan

ip access-l ONLY-Email in

!

You may allow what you want as well.

Did I understand your question?

HTH,

Toshi

"But my problem remains how to isolate some specific services such as e-mail services and deny some hosts access to it."

Tom, you can create ACLs that specificy the protocol, source IP address, source port number, destination IP address, and destination port number.

Your access list can deny traffic from the 10.0.0.0 network to "any" on eq POP3, for example.

access-list 110 deny ip 10.0.0.0 0.0.0.255 any eq POP3

Tom,

Are these email services external? If so, you'll need to allow nat to happen for these hosts, but you can block all of the hosts with an acl from going anywhere else. I don't know what type of service you want to use, but if you plan on allowing hotmail access or any other free provider, you'll need to get their block of addresses to allow only access to those address for the hosts that you want to allow. You would then block everything else.

1.) Allow these hosts to nat

2.) create acl to allow whatever ports (25 for instance)

ip access-list ext NOACCESS

permit tcp host 192.168.1.2 any eq 25

permit tcp host 192.168.1.3 any eq 25

deny ip host 192.168.1.2 any

deny ip host 192.168.1.3 any

permit ip host 192.168.1.0 0.0.0.255 any

deny ip any any log

The above acl will allow your 2 hosts (.2 and .3) access to smtp, but they won't be able to get anywhere else.

3.)Then you would apply this acl inbound on your inside interface:

int fa0/1

ip access-group NOACCESS in

I hope I understand what you're asking. =)

HTH,

John

HTH, John *** Please rate all useful posts ***

Hi,

Thanks John.

I will try this and get back to you.

Tom

Hi John,

Thanks for you inputs in helping me.

I tried your suggestion but still no success.

Using the acl statement you suggested, I applied it to some specific systems, the result was that those systems were not able to access the internet or any email service.

Can you please give me a specific suggestion, let say I want a system to access just Yahoo mail, how to configure the acl.

To access Yahoo mail for instance, I will need to get to www.yahoo.com, which means the acl statement will have to permit web access (www or port 80),

Do you understand my line of reasoning?

In the acl statements you suggested, we have permit statement for smtp (port 25), can the host reach smtp without first accessing the site hosting the email (e.g www.yahoo.com). I felt that may be why the host could not access yahoo mail or other mail using the suggested configurations.

please your input is well appreciated.

Thanks

Tom

Tom,

If you're wanting to allow people to certain sites and not others, it's going to require a lot of intervention on your part to find the ip addresses that belong to yahoo. You can use nslookup to find those addresses and then use the same methodology for allowing access and then blocking access to everything else.

Using nslookup, I found:

Non-authoritative answer:

Name: login.lga1.b.yahoo.com

Address: 209.191.92.114

Aliases: mail.yahoo.com, login.yahoo.com, login-global.lgg1.b.yahoo.com

You may be able to set your acl to allow access outbound to the bolded address above and then deny everything else after:

permit tcp internal-addresses internal-mask 209.191.92.114 eq 80

deny tcp internal-address internal-mask any eq 80

permit tcp any any

HTH,

John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco