Not getting an ACL to work properly

[tamray]

I am trying to setup an ACL that only allows smtp connections from relay servers on my WAN to a mail server on F0/0 of a LAN. I have tried a number of different access-lists, but am not getting it right. At this point the ACL should only restrict smtp traffic, and allow everything else through.

Anyone have an example ACL to accomplish this?

Raymond

 

[burtsbees]

Do you want to restrict or allow smtp thru? You have said 2 different things...
If you want to allow ONLY smtp...let's say that you have 3 relay servers on the same subnet, 192.168.1.0/24, and the ip address of the mail server is 192.168.75.75/24...
router(config)#access-list 121 permit tcp 192.168.1.0 0.0.0.255 host 192.168.75.75 eq smtp
then say int s0/0 is the interface facing the WAN...
router(config)#int s0/0
router(config-if)#ip access-group 121 in
Now, to DENY ONLY smtp...
router(config)#access-list 121 deny tcp 192.168.1.0 0.0.0.255 host 192.168.75.75 eq smtp
router(config)#access-list 121 permit tcp any any
router(config)#int s0/0
router(config-if)#ip access-group 121 in

Is this what you mean?

Burt

 

[tamray]

Sorry for being vague. The whole story is, I manage a WAN and scan email for 18 domains (inside the WAN). One in particular does not have a firewall on their local LAN. We have and MX record set up, so we get their mail, scan it, and pass it on to their mail server. Just in case we go down, we made us a 5 and them a 10. What we have found is some spammers bypass the MX record and hit the IP of their mail server directly. My access-list needs to be set up so that only mail from my local LAN can send mail to their mail server, but all other traffic is allowed through, unfiltered. Their LAN and mail server is on F0/0, and F0/1 is connected to our WAN.

 

[burtsbees]

Well, your private IP may have a match with a spammer, so filtering so that only the source PUBLIC IP address from your end gets thru sounds like what you want. This acl really should be configured on THEIR router, inbound on their interface that is facing yours. This would be the first example I gave. Is this a T1 circuit, or are they all splitting a frame-relay cost? Are you the ISP, or are you just intercepting mails for them to scan them? If you are, that's a pretty good idea.
The thing I don't understand is why the heck they don't have a firewall! They have an email server, meaning their is some sensitive data (I would think) that passes over the internet! But, you must only fill your obligation by filtering email...is that right? I ask because there may be a few different solutions, mainly the fact that since the acl should be put on their router, and if it's a Cisco, why not configure some firewall inspect rules and logging?

Burt

 

[tamray]

I didn't think my whole topology would come into play here, but, yes, there is a firewall at the head end of our WAN. Most domains place a second firewall on their LAN to tighten things down further. The ACL I have been asking about is intended for their router. The WAN is a 100Mb ethernet, with F0/1 of each router connected to the WAN, and F0/0 connected to their LAN. Each domain has their own set of public Ip's and their own servers. My intention is to apply the proper ACL to F0/1.

 

[burtsbees]

OKay, but are fa0/0 and fa0/1 both public IP's, like fa0/1 is public, going to fa0/0 of their router, also a public, and gets NATted through to the other side of their router, which is their LAN? Or, do you take on the public IP's from an ISP, and provide internet service to the customer also, and fa0/1 is on your router, going to fa0/0 of their router, both private IP's? Are these all Cisco routers? Private ip to private ip in the second scenario is in danger of a tcp replay attack, not to mention man-in-the-middle attack. The SPAM part is easy...on their router...
customer_router(config)#access-list 121 permit tcp (your relay server ip range goes here, and the wildcard mask) host (the ip address of their mail server goes here, no mask) eq smtp

Burt

 

[tamray]

Hey, I didn't notice it was Burt's Bees replying to my posts I had never heard of them till this last summer when I was shopping with my wife in Redwing Minnesota. Some real good looking guys on the labels and signage

I digress....

Anyway, getting back to my reply.

Our ISP has assigned a pool of Public IP's, we have intern assigned portions of Class Cs to each domain (k12 schools). All routers are Ciscos, and all F0/1 Ips (connected to WAN) are private. All F0/0 ports on the routers have public Ip's. This particular school nats all traffic via pat. We have created a static public to private nat for their mail and web server. With that being said, does the last example you gave filter smtp traffic so only my relay servers can communicate to their mail server, AND allow all other traffic to pass through? If so, I was making it much too complicated, since I had a statement for every port that I thought might be utilized on their server.

 

[burtsbees]

Well, you need the acl to filter, sourcing only your relay server ip's, to only the host ip address of the mail server. Then, you need a second entry permitting the rest of tcp traffic, due to the implicit deny statement at the end. Then put the acl inbound on their interface that is facing your interface.
school_router(config)#access-list 121 permit tcp (source and wildcard mask) host (ip address only, of the mail server) eq smtp
school_router(config)#access-list 121 permit tcp any any
school_router(config)#int fa0/0 (or whatever is the outside interface pointing toward your WAN)
school_router(config-if)#ip access-group 121 in
My wife buys the Burt's Bees stuff all the time, and I'm not very original with names, I saw a can of Burt's Bees salve on my desk...VOILA! My handle...I too digress...lol

Burt

 

[tamray]

Thanks. I will apply this and get back to you.

Awh, shucks, here I thought I was talking to thee Burt, of Burt's Bees Not really, he walked away from the company and bought about a million acres of land somewhere, and lives as a hermit. I get the biggest kick out of their label and posters