How to only accept inbound email from 3 IPs/subnets

[SnowPunk98]

I need to set my Cisco 1601 to only accept inbound traffic on port 25 from 3 differnt IP addresses/subnets so that I am only accepting mail from our spam filter.

How would I do this on the ACL, would it be "access-list 101 permit <IP> any eq smtp"

Im new to programming so any help would be appreciated

 

[lgarner]

Yes, more or less. I'd use:

access-list 101 permit tcp <ip> <wildcard> any eq smtp
access-list 101 deny tcp any any eq smtp
access-list 101 permit ip any any

 

[SnowPunk98]

can you explain what each line is saying?

 

[lgarner]

1. Allow smtp from the <ip> <wildcard> to any computer. You might need 3 lines like this.

For example:

"access-list 101 permit tcp 192.168.3.7 0.0.0.0 any eq smtp" allows smtp from one computer to any.
"access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq smtp" allows smtp from the 192.168.1.x network.

2. Deny all smtp. Without this, you might as well not have line 1, since the next line...

3. Allow all IP traffic. Cisco ACLs have an implicit "deny any any" at the end. Withouth this, nothing except smtp would get in. Maybe that's what you want, but usually not.

You can almost read the lines in reverse order to mean "allow all IP traffic, except for blocking all SMTP, except for SMTP from certain addresses."

 

[SnowPunk98]

Excellent, thank you thats great! and the wildcard is just the subnet if any correct? I would guess the subnet would only be needed if it is classless?

 

[lgarner]

No, actually the wildcard used by IOS is the opposite of a subnet mask. 1's mean any match, 0 means exact match.

So, 255.255.255.0 becomes 0.0.0.255.

I'm actually not sure if the mask can be discarded for a classful address, but I'm pretty sure that it can't. You can substitute "host 192.168.1.5" for "192.168.1.5 0.0.0.0", though.

 

[SnowPunk98]

Cool I think that anwsers my question completly.

BTW how did you learn all this, I really want to learn and become a network engineer of sorts. I am currently a network analyst but dont work on routers hardly at all.

Any suggestions on getting more experiance and my CCNA?

 

[lgarner]

Experience is exactly that. There are online lab simulators out there (I think boson.com has one) that you can subscribe to. I haven't, but that might be a way. There are also CCNA classes and "boot camps". Unless you're already pretty familiar with the routers and IOS, I'd definitely avoid the bootcamps, though.

I used the Sybex CCNA guide a few years ago and found it to be very good. Cisco Press also publishes a guide. Although it's Cisco-specific, the CCNA covers a lot of general networking and would be a good course of study for you.

 

[SnowPunk98]

I took a class in college where we got to work a good amount with Cisco routers but we didnt get to do real stuff. I think my best bet would be to find a network engineer I job where I could get the experiance.

I had that Sybex book as well which was really good, I shouldnt have sold it.