Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
5
Helpful
1
Replies

Cisco IOS firewall configuration

bapatsubodh
Level 1
Level 1

‎07-12-2009 07:47 AM - edited ‎03-04-2019 05:24 AM

Hi

Follwoing is the summary configuration on ISR Cisco for IOS firewall

int fast 0/0

description OUTSIDE

ip address A.B.C.D /30

ip inspect E_Mail_From_Outside in

ip access-group E_Mail_Server in

int fast 0/1

ip address 10.1.1.1 / 24

ip inspect USERS_HTTP_ONLY in

ip access-group HTTP_ONLY in

ip inspect name E_Mail_From_Outside tcp

ip inspect name USERS_HTTP_ONLY tcp

ip access-list extended E_Mail_Server

permit tcp any host P.Q.R.S eq 25

( allowes outside e-mail servers to send e-mails on P.Q.R.S on port 25 SMTP - P.Q.R.S is Static public address reachable on outside interface )

ip access-list extended HTTP_ONLY

permit tcp 10.1.1.0 / 24 any eq 80

(allows users 10.1.1.0 /24 to browse internet only on Port 80 ).

How in this case internal e-mail server internal e-mail server traffic will be handled. As we are not allowing any port except port 80 from inside to outside. Does it automatically / dynamically adds lines to access-list? ( similarly to how lines are added on the access list on the outside interface to allow responce packets which were initiated from inside zone).

Please share the experience.

Thanks in advance

Subodh

Labels:
0 Helpful
1 Reply 1

Istvan_Rabai
Level 7
Level 7

‎07-12-2009 09:31 AM

Hi Subodh,

Currently, internal e-mail server traffic is blocked inbound on FastEthernet0/1 by extended ACL HTTP_ONLY.

You should allow the internal e-mail server traffic in FastEthernet0/1 inbound.

You can append an additional line to extended ACL HTTP_ONLY.

The firewall will then dynamically add a line for the return traffic to extended ACL E_Mail_Server on FastEthernet0/0 inbound.

Note:

The newest firewall versions do ACL-bypass instead of adding a line to the ACLs.

Also:

- "ip inspect E_Mail_From_Outside in" is not necessary on FastEthernet0/0 inbound.

- "ip access-group E_Mail_Server in" is necessary only if you want to allow email traffic initiated from outside. If not, then an ACL with "deny ip any any log" is enough on FastEthernet0/0 inbound.

Cheers:

Istvan

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card