Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Cisco IOS firewall configuration

Hi

Follwoing is the summary configuration on ISR Cisco for IOS firewall

int fast 0/0

description OUTSIDE

ip address A.B.C.D /30

ip inspect E_Mail_From_Outside in

ip access-group E_Mail_Server in

int fast 0/1

ip address 10.1.1.1 / 24

ip inspect USERS_HTTP_ONLY in

ip access-group HTTP_ONLY in

ip inspect name E_Mail_From_Outside tcp

ip inspect name USERS_HTTP_ONLY tcp

ip access-list extended E_Mail_Server

permit tcp any host P.Q.R.S eq 25

( allowes outside e-mail servers to send e-mails on P.Q.R.S on port 25 SMTP - P.Q.R.S is Static public address reachable on outside interface )

ip access-list extended HTTP_ONLY

permit tcp 10.1.1.0 / 24 any eq 80

(allows users 10.1.1.0 /24 to browse internet only on Port 80 ).

How in this case internal e-mail server internal e-mail server traffic will be handled. As we are not allowing any port except port 80 from inside to outside. Does it automatically / dynamically adds lines to access-list? ( similarly to how lines are added on the access list on the outside interface to allow responce packets which were initiated from inside zone).

Please share the experience.

Thanks in advance

Subodh

1 REPLY

Re: Cisco IOS firewall configuration

Hi Subodh,

Currently, internal e-mail server traffic is blocked inbound on FastEthernet0/1 by extended ACL HTTP_ONLY.

You should allow the internal e-mail server traffic in FastEthernet0/1 inbound.

You can append an additional line to extended ACL HTTP_ONLY.

The firewall will then dynamically add a line for the return traffic to extended ACL E_Mail_Server on FastEthernet0/0 inbound.

Note:

The newest firewall versions do ACL-bypass instead of adding a line to the ACLs.

Also:

- "ip inspect E_Mail_From_Outside in" is not necessary on FastEthernet0/0 inbound.

- "ip access-group E_Mail_Server in" is necessary only if you want to allow email traffic initiated from outside. If not, then an ACL with "deny ip any any log" is enough on FastEthernet0/0 inbound.

Cheers:

Istvan

566
Views
5
Helpful
1
Replies
CreatePlease to create content