01-30-2003 02:32 AM - edited 02-20-2020 10:31 PM
Configutarion:-
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 102 permit tcp any host x.x.x.x(mail server ip) eq domain
access-list 102 permit udp any host x.x.x.x(mailserver ip) eq domain
access-list 102 permit tcp any host x.x.x.x(mail server ip) eq lotusnotes
access-list 102 permit tcp any host x.x.x.x(mail server ip) eq smtp
access-list 150 permit ip 10.0.0.0 255.0.0.0 host (email server in dmz)
access-list 150 permit ip 172.40.0.0 255.255.0.0 host x.x.x.x(email server in dmz
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.x 255.255.255.240
ip address inside 10.1.1.1 255.0.0.0
ip address dmz x.x.x.x 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
no pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x(using-pat) netmask 255.255.255.255
nat (inside) 0 access-list 150
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) (same ip used for mapping ) netmask 255.255.255.255 0 0
access-group 102 in interface outside
(in the dmz x.x.x.x is the email server which users are accessing it from inside and outside network)
Problem Description :- I want to block 6 IPs which are 10.5.2.2 and from 10.5.2.4 to 10.5.2.8 to go over the internet (i want them to access email in dmz). Please tell me how can i block them by adding which commands in the current config . Because i had treid to add deny statements at the end of the access-list but still these IPs are able to go over the internet and if i apply access-group 150 inside everything stops to go over the internet .
01-30-2003 04:53 AM
I understand your requirement to be allow those 6 hosts only access an email server on your DMZ, deny them access anywhere else, and allow everyone else access everywhere.
Try:
access-group 101 in interface inside
access-list 101 permit tcp host 10.5.2.2 x.x.x.x 255.255.255.240 eq smtp (where x.x.x.x is your dmz network or email server)
access-list 101 permit tcp host 10.5.2.4 x.x.x.x 255.255.255.240 eq smtp
access-list 101 permit tcp host 10.5.2.5 x.x.x.x 255.255.255.240 eq smtp
access-list 101 permit tcp host 10.5.2.6 x.x.x.x 255.255.255.240 eq smtp
access-list 101 permit tcp host 10.5.2.7 x.x.x.x 255.255.255.240 eq smtp
access-list 101 permit tcp host 10.5.2.8 x.x.x.x 255.255.255.240 eq smtp
access-list 101 deny ip host 10.5.2.2 any
access-list 101 deny ip host 10.5.2.4 any
access-list 101 deny ip host 10.5.2.5 any
access-list 101 deny ip host 10.5.2.6 any
access-list 101 deny ip host 10.5.2.7 any
access-list 101 deny ip host 10.5.2.8 any
access-list 101 permit ip any any
Hope it helps.
Steve
01-30-2003 05:07 AM
Hi,
clear the current access-list 150:
no access-list 150
If you only want to block outside access for the 6 specific IPaddresses and allow everything else from inside to outside and dmz, then this ACL commands will do:
access-list 150 deny ip host 10.5.2.2 any
access-list 150 deny ip host 10.5.2.4 any
access-list 150 deny ip host 10.5.2.5 any
access-list 150 deny ip host 10.5.2.6 any
access-list 150 deny ip host 10.5.2.7 any
access-list 150 deny ip host 10.5.2.8 any
access-list 150 permit ip any any
access-list 150 permit icmp any any
access-group 150 in interface inside
Access-lists are always processed from top to buttom. The processing stops once a match is found. If no match is found in the ACL, the traffic is denied by default.
Kind Regards,
Tom
01-31-2003 10:23 PM
thanks for your help but access-list 150 is been used by nat command . Please check the nat command also. i had tried adding these commands in the current access-lists but if i apply that access-list to inside interface it stops everything . I think so it is blocking because of access-list 150 which is been used by nat command
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: