Cisco IOS firewall configuration

Unanswered Question
Jul 12th, 2009


Follwoing is the summary configuration on ISR Cisco for IOS firewall

int fast 0/0

description OUTSIDE

ip address A.B.C.D /30

ip inspect E_Mail_From_Outside in

ip access-group E_Mail_Server in

int fast 0/1

ip address / 24

ip inspect USERS_HTTP_ONLY in

ip access-group HTTP_ONLY in

ip inspect name E_Mail_From_Outside tcp

ip inspect name USERS_HTTP_ONLY tcp

ip access-list extended E_Mail_Server

permit tcp any host P.Q.R.S eq 25

( allowes outside e-mail servers to send e-mails on P.Q.R.S on port 25 SMTP - P.Q.R.S is Static public address reachable on outside interface )

ip access-list extended HTTP_ONLY

permit tcp / 24 any eq 80

(allows users /24 to browse internet only on Port 80 ).

How in this case internal e-mail server internal e-mail server traffic will be handled. As we are not allowing any port except port 80 from inside to outside. Does it automatically / dynamically adds lines to access-list? ( similarly to how lines are added on the access list on the outside interface to allow responce packets which were initiated from inside zone).

Please share the experience.

Thanks in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Istvan_Rabai Sun, 07/12/2009 - 09:31

Hi Subodh,

Currently, internal e-mail server traffic is blocked inbound on FastEthernet0/1 by extended ACL HTTP_ONLY.

You should allow the internal e-mail server traffic in FastEthernet0/1 inbound.

You can append an additional line to extended ACL HTTP_ONLY.

The firewall will then dynamically add a line for the return traffic to extended ACL E_Mail_Server on FastEthernet0/0 inbound.


The newest firewall versions do ACL-bypass instead of adding a line to the ACLs.


- "ip inspect E_Mail_From_Outside in" is not necessary on FastEthernet0/0 inbound.

- "ip access-group E_Mail_Server in" is necessary only if you want to allow email traffic initiated from outside. If not, then an ACL with "deny ip any any log" is enough on FastEthernet0/0 inbound.




This Discussion