I am running IOS 12.2 FW and have protected all ports except for TCP port 25 which is open for SMTP (MS Exchange2000). The ISP keeps changing the IP addresses of its mail servers, so I cann't use IP addresses in the ACL's, but I do have a list of DNS names for the mail servers and these do not change. Can I use the DNS names in the ACL's or perform some sort of DNS lookup, so that I can restrict where SMTP traffic comes from. I am a new CCNA, who has install 11x 827's but would like some advice on how to tighten up security for SMTP, many thanks to anyone who can help.
You can't unfortunately use a hostname in an ACL. You can define a DNS server on the router itself, which then enables you to ping/telnet/etc FROM the router using the hostname, but it still doesn't allow you to use this to define an ACL.
When you say you've protected all ports, do you mean into your networks or do you mean that you haven't added the SMTP inspection line into your FW config?
If the former, and I presume you don't have your own internal SMTP servers here but are using the ISP's for your mail, then you'll just have to allow all SMTP into your network, there's really no good way around it.
If the latter, then this is good if the ISP is using Exchange, but as long as you have inspected TCP outbound, that traffic will be allowed back in. When using IOS FW, you can pretty much deny all inbound traffic except stuff that needs to originate from the outside, like HTTP traffic to an internal WWW server or something like that. If your users on on the inside, the mail servers are on the outside, then just deny inbound traffic, inspect TCP, and your users will be able to connect to the SMTP server and get their mail, but the SMTP server won't be able to initiate a connection to them which is fine.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...