10-16-2013 04:55 AM - edited 03-11-2019 07:52 PM
Hi,
i'm new in cisco.
I have:
object-group network smtp
host 192.168.11.13
this is mail server
and
object-group network no_smtp
no group-object smtp
or no host 192.168.11.13
but not working:
object-group network no_smtp
!
object-group network smtp
host 192.168.11.13
!
how can i make acces list to deny all exept mail server 192.168.11.13 on destination port 25?
Thank you.
10-16-2013 05:57 AM
Hi,
So you want to deny access to all machines except 192.168.11.13 port 25 ?
Is this a router or a firewall ? Can you provide your running config ?
Regards
Alain
Don't forget to rate helpful posts.
10-16-2013 08:37 AM
Hi,
I guess this is the classic example when you need to block internal machines to send spam out if they get infected by a virus or trojan. If this is not in place your external IP can be blacklisted.
If my guess is correct you have to do something like this:
access-list INSIDE_IN extended permit tcp host 192.168.11.13 any eq 25
access-list INSIDE_IN extended deny tcp any any eq 25
access-list INSIDE_IN extended permit ip any any
If you want to use groups you can do the following:
object-group service SMTP_PORT
service-object tcp eq smtp
object-group network SMTP_SERVER
network-object host 192.168.11.13
access-list INSIDE_IN extended permit object-group SMTP_PORT object-group SMTP_SERVER any
access-list INSIDE_IN extended deny object-group SMTP_PORT any any
access-list INSIDE_IN extended permit ip any any
Order is the key thing here!
Regards
Mariusz
10-16-2013 03:27 PM
Thank you for fast reply.
It is working now. My running config dou you have some suggestions ?
:
show run
Building configuration...
Current configuration : 3204 bytes
!
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip domain name ...
ip name-server ...
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
!
redundancy
!
!
ip ssh time-out 60
ip ssh version 2
!
!
!
!
!
!
!
interface FastEthernet0/0
description wan
ip address (wan IP) 255.252.0.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description INSIDE_LAN
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.1
description VLAN1
encapsulation dot1Q 1 native
ip address 192.168.10.3 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.2
description VLAN2
encapsulation dot1Q 2
ip address 192.168.11.2 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.3
description VLAN3
encapsulation dot1Q 3
ip address 192.168.12.3 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
!
ip default-gateway (...wan GW...)
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.11.13 80 interface FastEthernet0/0 80
ip nat inside source static tcp 192.168.11.13 25 interface FastEthernet0/0 25
ip nat inside source static tcp 192.168.11.13 587 interface FastEthernet0/0 587
ip nat inside source static tcp 192.168.11.13 993 interface FastEthernet0/0 993
ip default-network 192.168.11.0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 permanent
ip route 172.20.96.132 255.255.255.255 192.168.11.3
ip route 172.20.100.132 255.255.255.255 192.168.11.3
!
logging esm config
access-list 1 permit 192.168.11.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.11.0 0.0.0.255 any
access-list 100 permit ip 192.168.12.0 0.0.0.255 any
access-list 101 permit tcp any host 192.168.11.13 eq smtp
access-list 101 deny tcp any any eq smtp
access-list 101 permit ip any any
access-list 102 permit tcp host 192.168.11.13 any eq smtp
access-list 102 deny tcp any any eq smtp
access-list 102 permit ip any any
access-list 103 permit tcp any host 192.168.11.13 eq smtp
access-list 103 deny tcp any any eq smtp
access-list 103 permit ip any any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 20 0
password ...
login local
transport input ssh
!
scheduler allocate 20000 1000
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: