Solved: Re: ACL Problem

Tim Roelands · ‎07-31-2010

Hi,

I'm a bit confused about using access-list parameters for a more secure inside access. I would like te setup the router only one server (WAN IP, 87.*.*) has access to the inside Exchange server, instead opening port 25 for everyone. I thought an ACL would be the solution, bit it doesn't work..Any help?

Here my config:

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname r1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ****
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 1
clock summer-time GMT date Mar 30 2010 1:00 Oct 26 2035 1:59
!
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.199
!
ip dhcp pool Name
   network 192.168.1.0 255.255.255.0
   domain-name name.local
   default-router 192.168.1.1
   dns-server 213.*.*.* 214.*.*.*
   lease 0 8
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name name.local
!
!
license udi pid CISCO867-K9 sn ******
!
!
username admin privilege 15 secret 5 ******
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/8
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0.2 point-to-point
pvc 0/9
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip access-group 105 in                      (ACL 105 applied to dialer1)
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username dsl***** password 7 *******
no cdp enable
!
interface Dialer2
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication pap callin
ppp pap sent-username voip***** password 7 *******
no cdp enable
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.110 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
!
logging trap debugging
access-list 23 remark TTY security
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 remark Routit
access-list 23 permit 213.*.0.0 0.0.255.255
access-list 23 permit 172.31.255.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit tcp 87.*.*.0 0.0.0.255 host 192.168.1.110 eq smtp               (added ACL 105 to only permit WAN IP 87.*.* to port 25)
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
no cdp run

!
control-plane
!
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

What wrong here? It works when I delete the added ACL rule 105, but this allows any WAN IP to access port 25. Thanks!

Nagaraja Thanthry · ‎07-31-2010

Hello,

The access-list you have configured does not seem correct. Please try the following:

no access-list 105 permit tcp 87.*.*.0 0.0.0.255 host 192.168.1.110 eq smtp

access-list 105 permit tcp 87.*.*.0 0.0.0.255 any eq smtp

access-list 105 deny tcp any any eq smtp

access-list 105 permit ip any any

In the above configuration, the first permit statement ensures that the 87.x.x.x subnet has access to the SMTP server using its public IP address. Since the dialer interface will have different IP (DHCP client), we need to use keyword "any". The next line denies access to the SMTP server for everybody else. The last line is necessary as the router is not a stateful firewall. So, it needs specific rule to allow all returning traffic.

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎07-31-2010

Hello,

The access-list you have configured does not seem correct. Please try the following:

no access-list 105 permit tcp 87.*.*.0 0.0.0.255 host 192.168.1.110 eq smtp

access-list 105 permit tcp 87.*.*.0 0.0.0.255 any eq smtp

access-list 105 deny tcp any any eq smtp

access-list 105 permit ip any any

In the above configuration, the first permit statement ensures that the 87.x.x.x subnet has access to the SMTP server using its public IP address. Since the dialer interface will have different IP (DHCP client), we need to use keyword "any". The next line denies access to the SMTP server for everybody else. The last line is necessary as the router is not a stateful firewall. So, it needs specific rule to allow all returning traffic.

Hope this helps.

Regards,

NT

Tim Roelands · ‎07-31-2010

It works! Thanks a lot!

Tim Roelands · ‎08-30-2010

Hi Nagaraja Thanthry,

Got a question left. As a response to this;

"Since the dialer interface will have different IP (DHCP client), we need to use keyword "any". "

Well, the line has got an static IP, but it gets it by DHCP. The WAN IP will never change. Could you please help me wat the ACL should look like when the dialer has got an static IP, lets say: 82.122.33.36?

Thanks a lot!

Nagaraja Thanthry · ‎08-30-2010

Hello,

If you have a specific IP for the dialer, then you can try the following:

access-list 105 permit tcp 87...0 0.0.0.255 host 82.122.33.36 eq smtp

access-list 105 deny tcp any any eq smtp

access-list 105 permit ip any any

This way, 87.x.x.x will be able to talk to the inside mail server and all

other SMTP requests are blocked on the dialer interface.

Hope this helps.

Regards,

NT

mohamedtag · ‎11-27-2010

Dear Nagaraja ,

I just passed by your POST that Solved the Problem for the mentioned Question , I am just a little bit confused about the 2nd & 3rd Line :

access-list 105 deny tcp any any eq smtp

access-list 105 permit ip any any

Isnt the 3rd One ( Permit ip any any ) overrides the ( deny tcp any any ) and will allow evryone to reach the Mail Server ??

cadet alain · ‎11-27-2010

Hi,

The 3rd one is overriding the implicit deny of the ACL so UDP will be permitted as well as ICMP but not TCP due to second line except to port 25 from a particular ouside host due to line 1.

Regards.

Don't forget to rate helpful posts.

mohamedtag · ‎11-27-2010

I got it .. Many Thanks Cadetalian for the Explanation