Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allow POP3 access only 1

Status
Not open for further replies.
CatPlus

CatPlus

Technical User
Jan 30, 2003
236
Hello!

Here are the entries on my CISCO PIX to allow user's within 192.168.111.201 through 192.168.111.254 access their e-mails via Outlook on our POP3 account. All other internet browsing is denied to users within this NAT range (.201 to .254)

Is there not a way to group all those IP addresses so I do not have to add as many lines as Lines 4, 5, 6, 7 and 8 etc. below?

Thanks for your help!

Mickey

[Line 1] access-list in_e1 permit tcp any any eq smtp
[Line 2] access-list in_e1 permit tcp any any eq pop3
[Line 3] access-list in_e1 permit udp any any eq domain
[Line 4] access-list in_e1 deny ip host 192.168.111.201 any
[Line 5] access-list in_e1 deny ip host 192.168.111.202 any
[Line 6] access-list in_e1 deny ip host 192.168.111.203 any
[Line 7] access-list in_e1 deny ip host 192.168.111.204 any
[Line 8] access-list in_e1 deny ip host 192.168.111.205 any

 
Sort by date Sort by votes
use a network-object in your configuration
 
Upvote 0 Downvote
Hi Igarner

Thanks for your reply. I am new to CISCO and would very much appreciate if you could give me some more details.

BTW, would changing below encap the entire range?

FROM:access-list in_e1 deny ip host 192.168.111.201 any
TO :access-list in_e1 deny ip host 192.168.111.2?? any

Thanks for your help!

Mickey


 
Upvote 0 Downvote

If you mean to literally put in question marks, no. You can use subnet ranges or hosts addresses:

.. deny ip 192.168.111.192 255.255.255.192... would be close in your case and would deny all hosts from 192.168.111.192 through 192.168.111.254, inclusive.

Object groups are probably a better way to go. You apply the ACL to a group of network-objects, protocols or icmp-types so you don't have to do each one individually. The definitions can mixed subnets and hosts.

Your ACL would then be something like:
access-list in_e1 deny ip object-group restricted-hosts any

and the you'd define the restricted-hosts object group with the hosts from which you want to block all IP traffic.
 
Upvote 0 Downvote
Thanks indeed Igarner

Mickey
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
969
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
207
gbayi_omo
gbayi_omo
kythri
  • Locked
  • Question
Restrict access to SSL VPN by IP (ASA 5540 - 8.4(7))
Replies
0
Views
201
kythri
kythri
rjwaunakee
  • Locked
  • Question
Allow Connections with Domain Names
Replies
0
Views
168
rjwaunakee
rjwaunakee
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
241
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top