1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access Control List to Allow Email

Discussion in 'Routing & Switching' started by zimbo, Jan 1, 2009.

  1. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    Happy New Year to all!!

    Working on ACL on Cisco routers, was wondering if anyone has any good links to info? always seem to find just the basic stuff - want to learn more!! Anyway my problem is as follows - 2 subnets - A and B , email server in A and users B, and need to create an ACL to allow users in B to only send email to the server and no other traffic. So quick brainstorm and would it be an ACL allowing IMAP, POP3 and SMTP and denying everything else? Or would i need to allow other forms of communication as well associated with email (of which im not sure that they are!) Any help please?

    zimbo 8)
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  2. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    For *sending* email you normally only use SMTP.

    You may also need filters on the MTA (i.e. exchange if in Microsoft land).

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  3. The_Geek

    The_Geek Megabyte Poster

    772
    13
    64
    Been a while since I set up any Cisco devices, so I looked through a bunch of notes I had taken over the years and I believe you're going to need to add something along the lines of this:

    access-list 150 permit udp host xx.xx.xx.xx range 16384 32767 any
    access-list 150 permit udp host xx.xx.xx.xx any range 16384 32767
    access-list 151 permit udp host xx.xx.xx.xx eq 5060 any
    access-list 151 permit udp host xx.xx.xx.xx any eq 5060
    access-list 152 permit tcp any eq telnet xx.xx.xx.xx 0.0.0.255
    access-list 152 permit tcp any xx.xx.xx.xx 0.0.0.255 eq telnet

    or

    access-list 150 deny udp host xx.xx.xx.xx range 16384 32767 any
    access-list 150 deny udp host xx.xx.xx.xx any range 16384 32767
    access-list 151 deny udp host xx.xx.xx.xx eq 5060 any
    access-list 151 deny udp host xx.xx.xx.xx any eq 5060
    access-list 152 deny tcp any eq telnet xx.xx.xx.xx 0.0.0.255
    access-list 152 deny tcp any xx.xx.xx.xx 0.0.0.255 eq telnet

    depending on what you want to allow or deny.
     
    Certifications: CompTIA and Micro$oft
    WIP: PDI+
  4. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    Email server can send any traffic on its side, its the client side that has to have ACL implemented so judging from what you just said:

    We need to allow Telnet through destined for the email server and we need to allow replies back from the email server correct?

    Second you have mentioned port 5060 - that is IMAP right? @ Harry - so SMTP must be allowed through client-side?

    I been doing my research as well would it be correct if the protocols involved were Telnet, IMAP or POP3 and SMTP?
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  5. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    I believe that best practice is only to open the ports you require.

    Normally, most people communitcate via SMTP which is Port 25, Telnet I think is Port 23.

    What client are your users using? is it Outlook? in Subnet B and the Email Server is it Exchange 2003? in Subnet A. If this is the case then you will most likely need to deploy RPC over HTTP for access there is a guide here by MS.

    Hope that helps, and anymore information you can provide about the physical layout e.g. is the Server in the DMZ, what is the email server, what are the clients using?
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  6. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    :oops: craigie thanks for the info mate. One thing i didnt mention is this isnt a real world scenario - its from an academic point of view. I need to write the ACL to allow users to access email in another subnet and thats that. There are two parts to this - one being DNS which i have worked out ( took me since sept to read up on ACLs - but hell i have learnt alot!) I dont want the actual ACL i just want to know which services/proctols email would require - so far im guessing i would only require port 25 and 23 open - would this allow users to retrieve email - without knowing whatever other services are running on the email server?

    Thanks for the help so far! 8)

    Edit here is the DNS ACL i have in place - which works!

    Code:
    Router#show access-lists 
    Extended IP access list 101
        permit icmp any host 192.168.20.10 echo
        permit icmp any host 192.168.20.10 port-unreachable
        permit udp any host 192.168.20.10 eq domain
        permit udp any eq domain host 192.168.20.10 gt 32767
        permit icmp any 192.168.20.0 0.0.0.255 echo-reply
        permit icmp any 192.168.20.0 0.0.0.255 port-unreachable
        deny ip any any
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  7. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Yes it would, but it depends on how 'your' clients would access 'their' email. The most common ones as you have already mentioned are:

    Port 23 - Telnet
    Port 25 - SMTP

    Then followed by:

    Port 110 - POP3
    Port 143 - IMAP4

    Then followed by:

    Port 102 - MTA .X400
    Port 443 - HTTP SSL
    Port 993 - IMAP SSL
    Port 995 - POP3 SSL

    Personally, I would say Port 23 and 25 would suffice.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  8. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    When you mean how the client access their email are you talking about which protocols are in place and what security mechanisms they are using?
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics
  9. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Hehe, all I mean if they are using POP3 then only open Port 110, if they are using SMTP only open Port 25 etc etc.

    Looks like you have figured it all out, well done that man!
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  10. zimbo
    Honorary Member

    zimbo Petabyte Poster

    5,215
    98
    181
    Would hope so!! Havent spent the last 3 yrs doing my degree least i can do is configure a simple ACL. Mind you have the class still cant tell you what a router looks like and what a switch looks like LMAO. Thanks for the help mate!! :biggrin
     
    Certifications: B.Sc, MCDST & MCSA
    WIP: M.Sc - Computer Forensics

Share This Page

Loading...