Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
rules
- Thread starter ekke
- Start date
it depends on the order of the ACE's. Post your ACLs and explain if you want to block all SMTP and POP from all internal clients except for your mail server
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
- Thread starter
- #3
this is what i got today!
access-list outside_access_in extended permit tcp any host 213.115.*.* eq smtp
access-list outside_access_in extended permit tcp any host 213.115.*.* eq https
static (inside,outside) tcp interface smtp 192.168.1.23 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.8 https netmask 255.255.255.255
i would like to create a access list to prevent clients to use smtp,pop3 etc.
but i also need to be able some how add ip's? clients?
to a grant list.
access-list outside_access_in extended permit tcp any host 213.115.*.* eq smtp
access-list outside_access_in extended permit tcp any host 213.115.*.* eq https
static (inside,outside) tcp interface smtp 192.168.1.23 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.8 https netmask 255.255.255.255
i would like to create a access list to prevent clients to use smtp,pop3 etc.
but i also need to be able some how add ip's? clients?
to a grant list.
What I would do is create an network object-group and add in your clients that you want to be able to access smtp and pop3. If, down the road you need to allow more hosts the ability to use SMTP or POP3 services, you'll simply add their addresses into the respective object-group. From there you would deny all other access, whether it's the implied deny any at the end or through an explicit deny statement. Once you start to filter access from inside to the outside you're going to need to either define all allowable traffic or else put a permit ip any any at the bottom otherwise all other traffic will be denied.
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
Code:
object-group network OG_SMTP_SENDERS
network-object host 192.168.1.23
network-object host 192.168.1.24
network-object ....
.
.
.
object-group network OG_POP3_SENDERS
network-object host 192.168.1.23
network-object ...
.
.
.
access-list inside_access_in extended permit tcp object-group OG_SMTP_SENDERS any eq smtp
access-list inside_access_in extended permit tcp object-group OG_POP3_SENDERS any eq pop3
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended deny tcp any any eq pop3
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface insideI hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question