Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access list and NAT (Static mapping) together ?

I have 1 NAT static mapping(Exchange Server)in network with other PCs mapped dynamically.I want to protect my Exchange Serv coz its open to Internet.I m using this:

access-list 101 deny ip host 195.229.36.85 any

access-list 101 permit udp any host 195.229.36.85 eq domain

access-list 101 permit tcp any host 195.229.36.85 eq pop3

access-list 101 permit tcp any host 195.229.36.85 eq smtp

access-list 101 permit tcp any host 195.229.36.85 eq www

After doing these commands mails stop going out with no Internet browsing.Can u help me brother!

Imran-Dubai

  • Other Security Subjects
1 REPLY
Anonymous
N/A

Re: Access list and NAT (Static mapping) together ?

some info are missing, but I guess you attached this acl to the external interface as the incoming acl

I assume that your not useing CBAC, but traditional extened acls

If yes,

You autorise only connection from the outside

and you do not autorise inside returning connection

you may try something like that :

! Generated by Solsoft NP 5.0

! Copyright 1997-2002 Solsoft

! ..................................

ip access-list extended npc-interface2-in

! Incoming

! Service: ip

! Anti-spoofing rules

deny ip host 195.229.36.85 any

! Services (return): http smtp

permit tcp any eq 25 host 195.229.36.85 gt 1023 established

permit tcp any eq 80 host 195.229.36.85 gt 1023 established

! Services: dns-tcp http pop3 smtp

permit tcp any gt 1023 host 195.229.36.85 eq 25

permit tcp any gt 1023 host 195.229.36.85 eq 53

permit tcp any gt 1023 host 195.229.36.85 eq 80

permit tcp any gt 1023 host 195.229.36.85 eq 110

! Service: dns-udp

permit udp any gt 1023 host 195.229.36.85 eq 53

! Service: ip

! default policy (=deny)

deny ip any any

91
Views
0
Helpful
1
Replies