[c-nsp] Static NAT and Email ACL/Firewall

Bruce Pinsky bep at whack.org
Wed Mar 16 15:38:33 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Melvin C. etheridge wrote:
| I have a second interface on my email server that I would like to enable
| with a private IP (192.168.1.2) and move my outgoing email server to that
| IP.
|
| I  would like to use static NAT to point the public IP that the server is on
| and then block all port 25 traffic except for local ip's.
|
| Now I think I have the static NAT config down, I'm just not sure out to set
| up the ACL.
|
| Any help would be apprecuated.
|

I'm not sure if you are asking for an ACL to block outside traffic from
reaching the mailserver or if you are asking for an ACL for the NAT that
blocks translation for local addresses going to the inside address of the
email server.


You say "block all port 25 traffic".  Are you allowing other stuff?  The
ACL can be written a couple of different ways.  For example, "permit port
80, permit port 443, and deny everything else":

ip access-list foo extended
~  permit tcp any host <mailserver ip> eq 80
~  permit tcp any host <mailserver ip> eq 443

Here only the things you want are permitted and everything else is denied.
~ Conversely, perhaps you want to allow everything but block only port 25:

ip access-list bar extended
~  deny tcp any host <mailserver ip> eq 25
~  permit ip any host <mailserver ip>


Typically you need a much more comprehensive ACL to deal with all the
various things to be allowed/disallowed into your network.  I suggest that
you look at something like:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

to get an idea of building such a filtering policy.

- --
=========
bep

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCOJlJE1XcgMgrtyYRAvc5AJ9AccLpviwn8JPkmMfe15j1fQLKmQCfU1/i
M+nQw/mDOJxD0yjflTIk4q4=
=Pivt
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list