Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

1600 Series Security Problem Help!!!

Given this configuration on my 1600 router that handles a partial frame relay connection, how can I secure the connection to only allow SMTP email to come in and out. I do not use the connection for anything else.

Current configuration:

!

version 11.2

no service password-encryption

no service udp-small-servers

no service tcp-small-servers

!

hostname SCH

!

enable password

!

ip subnet-zero

ip nat pool sch1 208.1.217.11 208.1.217.126 netmask 255.255.255.128

ip nat inside source list 1 pool sch1 overload

!

interface Ethernet0

ip address 208.X.217.1 255.255.255.128

ip nat inside

no logging event subif-link-status

!

interface Serial0

no ip address

no logging event subif-link-status

shutdown

no fair-queue

!

interface Serial1

no ip address

encapsulation frame-relay IETF

no logging event subif-link-status

bandwidth 128

service-module t1 timeslots 1-2

frame-relay lmi-type ansi

!

interface Serial1.16 point-to-point

ip address 207.X.149.94 255.255.255.252

ip nat outside

frame-relay interface-dlci 16

!

ip classless

ip route 0.0.0.0 0.0.0.0 207.42.149.93

snmp-server community sprint RW

!

line con 0

password

line vty 0 4

password

login local

!

end

Thanks,

Bruce

  • Other Network Infrastructure Subjects
3 REPLIES
Silver

Re: 1600 Series Security Problem Help!!!

You can accomplish this by creating 2 extended access-lists (inbound/outbound) and apply these in Serial1.16 point-to-point (in/out).

Lets say you have a mail server with ip address of 208.X.217.10. Here is how the config should look like:

access-list 101 permit tcp any host 208.1.217.10 eq smtp

access-list 102 permit tcp host 208.1.217.10 any eq smtp

interface Serial1.16 point-to-point

ip access-group 101 in

ip access-group 102 out

If you have a static nat defined for mail server, please make sure to use the NATTED ip in the ACL rather than actual ip.

New Member

Re: 1600 Series Security Problem Help!!!

That worked and saved lots of reading. One more problem: I found that I have to let an application that runs on port 9006 in. It's a remote access application something like PC anywhere called NetAccess. How would I allow that port on incoming and outgoing?

Thanks so much!

Bruce

Silver

Re: 1600 Series Security Problem Help!!!

Bruce,

Here is what you need to add for port 9006 in your existing acl.

access-list 101 permit tcp any host NetAccess_ip_address eq 9006

access-list 102 permit tcp host NetAccess_ip_address any

Thanks,

Mynul

81
Views
1
Helpful
3
Replies