Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL Help

I have been given a template to use to configure our Internet router sitting outside our firewall.

I have done the test using the template and found out that our Internet mail cant go through. Our mail server cant communicate with other mail servers outside the internet. Below is the tempplate. We just want internet traffic and mail traffic to go through the router.

Can somebody help me

This is designed for simple 2 interface routers with only a single Live IP subnet range.

Created in accordence with SANS recommendations

Reference rr.sans.org/netdevices/cisco_gear.php

Variables - These require replacement with correct values.

Telnet Approved Networks a.a.a.a b.b.b.b

Live Exernal IP's c.c.c.c d.d.d.d

SNMP Approved Networks g.g.g.g h.h.h.h

Interface Name: INTERNAL INTERFACE

Interface Name: EXTERNAL INTERFACE

SNMP RO Community: changethis

!ROUTER CONFIGURATION

service password-encryption

banner login #

************************************************************************

* This is a private system *

* Access to this computer system is limited to authorised users only. *

* This authorization must be obtained in writing from the system owner *

* Unauthorised users may be subject to prosecution under the Crimes *

* Act or State legislation *

* *

* All accesses to this service are logged *

* All information and details on this system are private, *

* confidential and must not be disclosed *

************************************************************************

#

no service finger

no ip bootp server

no ip http server

no service udp-small-servers

no service tcp-small-servers

no service config

no service pad

no service dhcp

no service ntp

no tftp-server

no ip identd

no snmp-server

no cdp run

service tcp-keepalives-in

no ip domain-lookup

no ip source-route

ip subnet-zero

ip classless

!This will affect some services

interface INTERNAL INTERFACE

description Internal Interface

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip proxy-arp

no ip mroute-cache

no cdp enable

no ip mask-reply

!This will affect some services

interface EXTERNAL INTERFACE

description External Interface

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip proxy-arp

no ip mroute-cache

no cdp enable

no ip mask-reply

!Ingress Filtering

ip access-list extended ingress-filter

deny ip host 0.0.0.0 any log

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 169.254.0.0 0.0.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 192.0.2.0 0.0.0.255 any log

deny ip 224.0.0.0 15.255.255.255 any log

deny ip 240.0.0.0 7.255.255.255 any log

deny ip 248.0.0.0 7.255.255.255 any log

deny ip host 255.255.255.255 any log

permit icmp any c.c.c.c d.d.d.d packet-too-big

permit icmp any c.c.c.c d.d.d.d echo-reply

permit icmp any c.c.c.c d.d.d.d ttl-exceeded

permit icmp any c.c.c.c d.d.d.d source-quench

permit icmp c.c.c.c d.d.d.d echo

deny icmp any any

deny ip c.c.c.c d.d.d.d any log

permit ip any c.c.c.c d.d.d.d

deny udp any range 1 65535 any log

deny tcp any range 1 65535 any log

deny ip any any log

int EXTERNAL INTERFACE

ip access-group ingress-filter in

ip accounting access-violations

int INTERNAL INTERFACE

ip access-group ingress-filter out

ip accounting access-violations

!Egress Filtering

ip access-list extended egress-filter

permit icmp c.c.c.c d.d.d.d any packet-too-big

permit icmp c.c.c.c d.d.d.d any echo

permit icmp c.c.c.c d.d.d.d any ttl-exceeded

permit icmp c.c.c.c d.d.d.d any source-quench

permit icmp c.c.c.c d.d.d.d echo-reply

deny icmp any any

permit ip c.c.c.c d.d.d.d any

deny udp any range 1 65535 any log

deny tcp any range 1 65535 any log

deny ip any any log

int INTERNAL INTERFACE

ip access-group outbound-filter in

int EXTERNAL INTERFACE

ip access-group outbound-filter out

!Logging Configuration

logging buffered 32768 informational

no logging console

service timestamps log datetime msec localtime show-timezone

service timestamps debug datetime msec localtime show-timezone

clock timezone GMT +10

access-list 99 permit a.a.a.a b.b.b.b log

access-list 99 deny any log

line vty 0 4

access-class 99 in

exec-timeout 15 0

login

transport input telnet

line aux 0

no exec

exec-timeout 0 10

transport input none

1 REPLY
Silver

Re: ACL Help

Check if you have opened the mail service port on the Firewall. If not open the SMTP port 25 on the firewall.

179
Views
0
Helpful
1
Replies