Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

outside source deny all but few ports

Status
Not open for further replies.
lebisol

lebisol

IS-IT--Management
Jan 3, 2003
3,325
US
Hello everyone.
I need little help with ACLs....not a cisco guru so don't laugh at my request. :)
So far I have natted out the paths I need I am just looking to lock down all the 'unused ports' including pings and echos and any reponse other than 2 ports used.
Code: 
...
ip nat inside source static tcp 192.168.1.15 443 my.wan.ip.here 443 extendable
ip nat inside source static tcp 192.168.1.15 25 my.wan.ip.here 25 extendable
ip nat outside source static 192.168.1.15 my.wan.ip.here extendable
...
I am using 'outside source' since WAN IP is one of my secondary IPs and want the server to reflect it vs. gefault gateway.
Looking to lock down everything and allow ONLY SSL and SMTP as you can tell.
Many thanks for your time!

:--------------------------------------:
fugitive.gif


All around in my home town,
They tryin' to track me down...
 
Sort by date Sort by votes
You are correct, mail servers use a random high port to send mail and receive mail on port 25. However, that ACL does not block any outbound traffic.
 
Upvote 0 Downvote
yeah rather strange...as you can tell loosing sleep over it.
ALC is set to be IN but for some reson the moment it is applied the SMTP queue gets crammed. I clear the ACL and back in action.
Seems like rather than using
"access-list 101 deny ip any host xxx.xxx.xxx.200"
it would be better to just manually block port ranges...not sure any more, I have no hair left. :)
Thanks guys!

:--------------------------------------:
fugitive.gif


All around in my home town,
They tryin' to track me down...
 
Upvote 0 Downvote
its right above:
Code: 
interface FastEthernet0/0
 description LAN Interface
 ip address 192.168.1.2 255.255.255.0
---
interface FastEthernet0/1
 description WAN Interface
 ip address xxx.xxx.xxx.195 255.255.255.240 secondary
 ip address xxx.xxx.xxx.196 255.255.255.240 secondary
 ip address xxx.xxx.xxx.197 255.255.255.240 secondary
 ip address xxx.xxx.xxx.198 255.255.255.240 secondary
 ip address xxx.xxx.xxx.194 255.255.255.240
---
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
---
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.15 xxx.xxx.xxx.200 extendable
---
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any host xxx.xxx.xxx.200 eq 443
access-list 101 permit tcp any host xxx.xxx.xxx.200 eq smtp
access-list 101 deny   ip any host xxx.xxx.xxx.200 
access-list 101 permit ip any any

applied on FE0/1
Thanks!

:--------------------------------------:
fugitive.gif


All around in my home town,
They tryin' to track me down...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
217
badwolf1686
B
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
251
BleuBell
BleuBell
steel_bender
  • Locked
  • Question
Allow HTTPS TCP Traffic through ASA5525
Replies
1
Views
288
Mogles49
Mogles49
netguy2000
  • Locked
  • Question
C2960TTL multiple Trunk ports with same VLAN
Replies
1
Views
259
chieftan
chieftan
newglide
  • Locked
  • Question
Muxing trunk ports
Replies
1
Views
225
PScottC
PScottC

Part and Inventory Search

Sponsor

Back
Top