10-06-2009 04:33 AM - edited 03-04-2019 06:16 AM
our goal is to restrict RDP and all type of remote connection from internet to our mail server and allow only required ports
access-list 114 permit tcp any host 83.xxx.xx.xx eq domain
access-list 114 permit tcp any host 83.xxx.xx.xx eq smtp
access-list 114 permit tcp any host 83.xxx.xx.xx eq pop3
access-list 114 permit tcp any host 83.xxx.xx.xx eq 995
access-list 114 deny ip any any
fastethernet 0/1
ip address 192.168.1.1 255.255.255.0
inteface serial0/0/0
ip address 193.55.xx.xxx 255.255.255.252
ip access-group 114 in/out ????????????
in which interface should we apply this ACL , and how it should be implemented in or out
any help will be most appreciated
thank you
in which interface should we
Solved! Go to Solution.
10-07-2009 10:16 AM
Hello Alaa,
I think you should apply this inbound on your serial interface but I agree it could be applied outbound DMZ interface as well.
>> notice that if the ACL was written differently it couldn't be applied anywhere. <
ignore this sometimes I make useless comments
Hope to help
Giuseppe
10-06-2009 04:46 AM
Are you the end user ?
This kind of configuration, and more security advice would be better done by a reputable consultant or certified partner.
10-06-2009 04:49 AM
Hello Ala,
I hope you are fine.
if host 83.xx.xx.xx is outside your network in the internet you can apply this ACL:
or inbound on internal interface
int fas0/1
ip access-group 114 in
OR
in outbound on external interface
int se0/0/0
ip access-group 114 out
notice that if the ACL was written differently it couldn't be applied anywhere.
Edit:
I had missed the first line of your post
>> our goal is to restrict RDP and all type of remote connection from internet to our mail server and allow only required ports
if so 83.xx.xx.xx is your server and the ACL can only be applied inbound on serial interface
int ser0/0/0
ip access-group 114 in
Hope to help
Giuseppe
10-06-2009 08:35 PM
Hello Guiseppe
Thank you for always been on the spot
i also missed very important part of my configs
int fastethernet0/1 (Configured as DMZ with public ip addressEs)
ip address 83.xxx.xxx.xx 255.255.255.28
so do you think i need to apply the ACL in serial inbound or fast ethernet outboud ???
>>>>> notice that if the ACL was written differently it couldn't be applied anywhere. < ?? do you mean if its extended, can you clarify your point, it seem to be very important notice.
thank you
Alaa
10-07-2009 10:16 AM
Hello Alaa,
I think you should apply this inbound on your serial interface but I agree it could be applied outbound DMZ interface as well.
>> notice that if the ACL was written differently it couldn't be applied anywhere. <
ignore this sometimes I make useless comments
Hope to help
Giuseppe
10-06-2009 06:05 AM
Hi, If this is your network topology,
rt e0 ------ f0/2 SW f0/1 ---- exchange_serv
you can apply the access-list in f0/2
this is the part of my configuration.
!
hostname rt
interface Ethernet0/0
ip address 1.1.123.1 255.255.255.0
half-duplex
hostname sw
interface FastEthernet0/1
switchport mode access
!
interface FastEthernet0/2
switchport mode access
ip access-group 114 in
access-list 114 permit tcp any host 1.1.123.5 eq domain
access-list 114 permit tcp any host 1.1.123.5 eq 993
access-list 114 permit tcp any host 1.1.123.5 eq smtp
access-list 114 permit tcp any host 1.1.123.5 eq pop3
access-list 114 deny ip any host 1.1.123.5
10-06-2009 06:48 AM
as p.bevilacqua and giuslar said,the network topology is different the configuration will be different, you also can apply the acl in the pix or asa.
Hope this help.
Yang
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: