ACL Problem

Answered Question
Jul 31st, 2010
User Badges:

Hi,


I'm a bit confused about using access-list parameters for a more secure inside access. I would like te setup the router only one server (WAN IP, 87.*.*) has access to the inside Exchange server, instead opening port 25 for everyone. I thought an ACL would be the solution, bit it doesn't work..Any help?


Here my config:


no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname r1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ****
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 1
clock summer-time GMT date Mar 30 2010 1:00 Oct 26 2035 1:59
!
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool Name
   network 192.168.1.0 255.255.255.0
   domain-name name.local
   default-router 192.168.1.1
   dns-server 213.*.*.* 214.*.*.*
   lease 0 8
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name name.local
!
!
license udi pid CISCO867-K9 sn ******
!
!
username admin privilege 15 secret 5 ******
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/8
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface ATM0.2 point-to-point
pvc 0/9
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip access-group 105 in                      (ACL 105 applied to dialer1)
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username dsl***** password 7 *******
no cdp enable
!
interface Dialer2
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication pap callin
ppp pap sent-username voip***** password 7 *******
no cdp enable
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.110 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging trap debugging
access-list 23 remark TTY security
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 remark Routit
access-list 23 permit 213.*.0.0 0.0.255.255
access-list 23 permit 172.31.255.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit tcp 87.*.*.0 0.0.0.255 host 192.168.1.110 eq smtp               (added ACL 105 to only permit WAN IP 87.*.* to port 25)
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run

!
control-plane
!
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end


What wrong here? It works when I delete the added ACL rule 105, but this allows any WAN IP to access port 25. Thanks!

Correct Answer by Nagaraja Thanthry about 6 years 11 months ago

Hello,


The access-list you have configured does not seem correct. Please try the following:


no access-list 105 permit tcp 87.*.*.0 0.0.0.255 host 192.168.1.110 eq smtp

access-list 105 permit tcp 87.*.*.0 0.0.0.255 any eq smtp

access-list 105 deny tcp any any eq smtp

access-list 105 permit ip any any


In the above configuration, the first permit statement ensures that the 87.x.x.x subnet has access to the SMTP server using its public IP address. Since the dialer interface will have different IP (DHCP client), we need to use keyword "any". The next line denies access to the SMTP server for everybody else. The last line is necessary as the router is not a stateful firewall. So, it needs specific rule to allow all returning traffic.


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Sat, 07/31/2010 - 09:32
User Badges:
  • Cisco Employee,

Hello,


The access-list you have configured does not seem correct. Please try the following:


no access-list 105 permit tcp 87.*.*.0 0.0.0.255 host 192.168.1.110 eq smtp

access-list 105 permit tcp 87.*.*.0 0.0.0.255 any eq smtp

access-list 105 deny tcp any any eq smtp

access-list 105 permit ip any any


In the above configuration, the first permit statement ensures that the 87.x.x.x subnet has access to the SMTP server using its public IP address. Since the dialer interface will have different IP (DHCP client), we need to use keyword "any". The next line denies access to the SMTP server for everybody else. The last line is necessary as the router is not a stateful firewall. So, it needs specific rule to allow all returning traffic.


Hope this helps.


Regards,


NT

Tim Roelands Mon, 08/30/2010 - 14:11
User Badges:

Hi Nagaraja Thanthry,


Got a question left. As a response to this;


"Since the dialer interface will have different IP (DHCP client), we need to use keyword "any". "


Well, the line has got an static IP, but it gets it by DHCP. The WAN IP will never change. Could you please help me wat the ACL should look like when the dialer has got an static IP, lets say: 82.122.33.36?



Thanks a lot!

Nagaraja Thanthry Mon, 08/30/2010 - 14:51
User Badges:
  • Cisco Employee,

Hello,


If you have a specific IP for the dialer, then you can try the following:


access-list 105 permit tcp 87...0 0.0.0.255 host 82.122.33.36 eq smtp

access-list 105 deny tcp any any eq smtp

access-list 105 permit ip any any


This way, 87.x.x.x will be able to talk to the inside mail server and all

other SMTP requests are blocked on the dialer interface.


Hope this helps.


Regards,


NT

mohamedtag Sat, 11/27/2010 - 06:09
User Badges:

Dear Nagaraja ,


I just passed by your POST that Solved the Problem for the mentioned Question , I am just a little bit confused about the 2nd & 3rd Line :

access-list 105 deny tcp any any eq smtp

access-list 105 permit ip any any


Isnt the 3rd One ( Permit ip any any ) overrides the ( deny tcp any any ) and will allow evryone to reach the Mail Server ??

cadet alain Sat, 11/27/2010 - 14:25
User Badges:
  • Purple, 4500 points or more

Hi,


The 3rd one is overriding the implicit deny of the ACL so UDP will be permitted as well as ICMP but not TCP due to second line except to port 25 from a particular ouside host due to line 1.


Regards.

mohamedtag Sat, 11/27/2010 - 20:28
User Badges:

I got it .. Many Thanks Cadetalian for the Explanation

Actions

This Discussion