However you need to be careful here. If you apply this to the internet facing interface it would only allow that address range to your mail server on port 25. Everything else would be blocked. And because an acl is not stateful that would mean any return traffic is blocked as well ie.
you have a user on your LAN who connects to a webserver on the internet. If you apply the above acl then it would drop the return traffic from the webserver back to the user. You can look to use the "established" keyword (TCP only), reflexive acls or CBAC (IOS stateful firewall) to get around this.
Without knowing how your acls are setup it's not possible to say exactly which one you need.
Re: Allowing only Postini addresses for static NAT
Thank you for the reply, mail was working with NAT entry to .113 but Postini wasn't, did a showmyipaddress and it showed .253 address which is outside interface. I added second NAT translation and Postini is also working but due to security concern want to block access, here is the relevant config:
! interface GigabitEthernet0/0.1 description Inside Interface$ETH-LAN$ encapsulation dot1Q 1 native ip address 192.168.0.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip policy route-map Citrix_1 no cdp enable !
! interface ATM0/0/0.1 point-to-point description Connected to DSL$FW_OUTSIDE$ ip address 220.127.116.11 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat outside ip virtual-reassembly no snmp trap link-status atm route-bridged ip pvc 0 0/35 encapsulation aal5snap ! !
ip nat inside source route-map SDM_RMAP_1 interface ATM0/0/0.1 overload ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload ip nat inside source static tcp 192.168.0.210 80 18.104.22.168 80 extendable ip nat inside source static tcp 172.16.1.5 443 22.214.171.124 443 extendable ip nat inside source static tcp 192.168.0.210 1494 126.96.36.199 1494 extendable ip nat inside source static tcp 192.168.0.210 2598 188.8.131.52 2598 extendable ip nat inside source static tcp 172.16.1.5 3389 184.108.40.206 3389 extendable ip nat inside source static 192.168.3.230 220.127.116.11 ip nat inside source static tcp 192.168.0.240 25 18.104.22.168 25 extendable ====> initial entry for smtp ip nat inside source static tcp 192.168.0.240 80 22.214.171.124 80 extendable ip nat inside source static tcp 192.168.0.240 110 126.96.36.199 110 extendable ip nat inside source static tcp 192.168.0.240 443 188.8.131.52 443 extendable ip nat inside source static tcp 192.168.0.240 3389 184.108.40.206 3389 extendable ip nat inside source static 192.168.0.230 220.127.116.11 ip nat inside source static 192.168.2.230 18.104.22.168 ip nat inside source static 192.168.0.231 22.214.171.124 ip nat inside source static tcp 192.168.0.220 1494 126.96.36.199 1494 extendable ip nat inside source static 192.168.3.6 188.8.131.52 ip nat inside source static tcp 192.168.0.240 25 184.108.40.206 25 extendable ====> Postini entry for smtp !
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...