Any Cisco access lists gurus out there?
Discussion
Need to add a range of authorised servers to an external interface to block spam into our smtp server. Tried doing it through SDM and, as usual, it came out with 58 lines of commands that do bugger all.
I need to add servers in the range XXX.XXX.240.0 with a subnet of 255.255.240.0 /20
The site is 120 miles away and if I get it wrong I've got a long, boring trip ahead of me so some confirmation would be appreciated. SO I'm thinking this might do the trick:
access-list 102 permit XXX.XXX.240.0 0.0.15.255 <public IP address of smtp server>
access-list 102 deny any any
I need to add servers in the range XXX.XXX.240.0 with a subnet of 255.255.240.0 /20
The site is 120 miles away and if I get it wrong I've got a long, boring trip ahead of me so some confirmation would be appreciated. SO I'm thinking this might do the trick:
access-list 102 permit XXX.XXX.240.0 0.0.15.255 <public IP address of smtp server>
access-list 102 deny any any
Firstly, the reload command has a timeout value.
so before starting anything, type
reload in 10
this will reload the router in 10 mins, so if you mess it up, put the kettle on and have a cup of tea, wait 10 mins and you're back where you started. Obviously don't save the config in the meantime!!
when you have fininsed making your changes do
reload cancel
Your access list looks about right. Here's one that allows SMTP only from 192.168.0.0 / 255.255.240.0 to 192.168.197.1 on port 25 only:
access-list 120 permit tcp 192.168.0.0 0.0.15.255 host 192.168.197.1 eq smtp
Matt
so before starting anything, type
reload in 10
this will reload the router in 10 mins, so if you mess it up, put the kettle on and have a cup of tea, wait 10 mins and you're back where you started. Obviously don't save the config in the meantime!!
when you have fininsed making your changes do
reload cancel
Your access list looks about right. Here's one that allows SMTP only from 192.168.0.0 / 255.255.240.0 to 192.168.197.1 on port 25 only:
access-list 120 permit tcp 192.168.0.0 0.0.15.255 host 192.168.197.1 eq smtp
Matt
naetype said:
Need to add a range of authorised servers to an external interface to block spam into our smtp server. Tried doing it through SDM and, as usual, it came out with 58 lines of commands that do bugger all.
I need to add servers in the range XXX.XXX.240.0 with a subnet of 255.255.240.0 /20
The site is 120 miles away and if I get it wrong I've got a long, boring trip ahead of me so some confirmation would be appreciated. SO I'm thinking this might do the trick:
access-list 102 permit XXX.XXX.240.0 0.0.15.255 <public IP address of smtp server>
access-list 102 deny any any
Why would you run the risk of locking yourself out??I need to add servers in the range XXX.XXX.240.0 with a subnet of 255.255.240.0 /20
The site is 120 miles away and if I get it wrong I've got a long, boring trip ahead of me so some confirmation would be appreciated. SO I'm thinking this might do the trick:
access-list 102 permit XXX.XXX.240.0 0.0.15.255 <public IP address of smtp server>
access-list 102 deny any any
I'm assuming a Cisco PIX or ASA and not a router here..
You're applying a ruleset for the servers behind the firewall, not the firewall itself, so if you make a booboo, simply remove it again?
access-list listname permit ip xxx.xxx.xxx.xxx 255.255.255.0 host ip.ip.ip.ip
(assumes you want to allow a /24 range through, edit the netmask accordingly!)
shouldnt need the explicit deny as it should be default policy.
Thanks for your help guys.
JamieBeeston said:
Why would you run the risk of locking yourself out??
I'm assuming a Cisco PIX or ASA and not a router here..
You're applying a ruleset for the servers behind the firewall, not the firewall itself, so if you make a booboo, simply remove it again?
It's a router; if I feck up the firewall I may lose my remote config' access which then means.....I'm assuming a Cisco PIX or ASA and not a router here..
You're applying a ruleset for the servers behind the firewall, not the firewall itself, so if you make a booboo, simply remove it again?
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff