Announcement

Collapse
No announcement yet.

ACL configuration Problem on Router

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL configuration Problem on Router

    I can not get the ACL to work. I'm trying to create a ACL to block 192.168.2.100 host

    on my LAN to access hotmail. I want to prevent the user from sending, and receiving

    email from hotmail.com.

    I'm not sure which cmd I need to enter to block 192.168.2.100 to access hotmail.com

    I would like to do the same on my PIX 501 Firewall, but the documentation doesn't

    clearly explain how to configure ACL to deny port services to certain host for route

    and PIX.

    Below is the Configuration:


    studyrouter#sh runn
    Building configuration...

    Current configuration : 5074 bytes
    !
    ! Last configuration change at 09:43:56 MST Thu May 15 2008
    ! NVRAM config last updated at 09:31:34 MST Thu May 15 2008
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname studyrouter
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096 debugging
    enable secret 5 $1$qPFa$Oj.SOSZq11B0V.ccD...p/
    enable password 7 1414130900012E2A332F
    !
    clock timezone MST -7
    aaa new-model
    !
    !
    aaa authentication login default group tacacs+ local enable
    aaa authentication login no_tacacs group tacacs+ enable local
    aaa authentication login admin_only group tacacs+ enable none
    aaa authentication ppp default local
    aaa authorization exec default group tacacs+ if-authenticated
    aaa accounting send stop-record authentication failure
    aaa accounting nested
    aaa accounting update newinfo
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa session-id common
    ip subnet-zero
    ip cef
    !
    !
    ip dhcp pool VLAN2
    network 192.168.2.0 255.255.255.0
    dns-server 68.105.28.12
    default-router 192.168.2.2
    !
    ip dhcp pool VLAN3
    network 192.168.3.0 255.255.255.0
    dns-server 68.105.28.12
    default-router 192.168.3.3
    !
    ip dhcp pool VLAN5
    network 192.168.5.0 255.255.255.0
    dns-server 68.105.28.12
    default-router 192.168.5.5
    !
    ip dhcp pool MYPOOL
    network 192.168.1.0 255.255.255.0
    dns-server 68.105.28.12
    default-router 192.168.1.1
    !
    ip audit po max-events 100
    vpdn enable
    vpdn ip udp ignore checksum
    !
    vpdn-group tsignal33
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    username tsignal32 privilege 15 password 7 0508070D2D494A080E02
    !
    !
    interface FastEthernet0/0
    ip address 192.168.4.223 255.255.255.0
    ip access-group 101 in
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    ip address 192.168.1.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.2
    encapsulation dot1Q 2
    ip address 192.168.2.2 255.255.255.0
    no snmp trap link-status
    !
    interface FastEthernet0/1.3
    encapsulation dot1Q 3
    ip address 192.168.3.3 255.255.255.0
    no snmp trap link-status
    !
    interface FastEthernet0/1.5
    encapsulation dot1Q 5
    ip address 192.168.5.5 255.255.255.0
    no snmp trap link-status
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0/1
    peer default ip address pool defaultpool
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    !
    ip local pool defaultpool 192.168.2.20 192.168.2.55
    ip http server
    ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.4.222
    !
    !
    access-list 101 deny tcp any any eq smtp
    access-list 101 permit ip any any
    !
    tacacs-server host 192.168.1.2
    no tacacs-server directed-request
    tacacs-server key 7 03075A090A0A254D590E

    banner login ^Canner login
    !
    Access for authorized users Only. Please enter username and password.
    ^C
    !
    line con 0
    exec-timeout 15 0
    password 7 06050E23404B0D181210
    login authentication admin_only
    line aux 0
    line vty 0 4
    exec-timeout 15 0
    password 7 104D081B0912160A1B03
    login authentication no_tacacs
    transport input telnet
    !
    ntp clock-period 17180572
    ntp server 132.163.4.101
    !
    end

    studyrouter#

  • #2
    Re: ACL configuration Problem on Router

    Hi,

    What do you mean when you say " to prevent the user from sending, and receiving email from hotmail.com"

    According to http://www.vista4beginners.com/Windo...s-Live-Hotmail the Windows Live Mail is the only email client that allows you to download and have offline access to your Hotmail's emails.
    It is web-based email.

    There is an extended access list 101 in your configuration. it is just blocking all inbound SMTP traffic on interface Fa0/0.

    So, the question is do you want to block 192.168.2.100 to use Windows Live Mail sending and receiving Hotmail's emails?
    Regards,
    Csaba Papp
    MCSA+messaging, MCSE, CCNA
    ...............................
    Remember to give credit where credit is due and leave reputation points where appropriate
    .................................

    Comment


    • #3
      Re: ACL configuration Problem on Router

      A few points of clarification:

      1. any web based email does not use SMTP or POP3. It uses HTTP or HTTPS.

      2. If you are using an email client (such as Outlook, Outlook Express, WindowsMail, Thunderbird, etc.) to access hotmail, gmail, etc. you need to block SMTP (sending) and POP3 (receiving) in order to block access to email traffic.

      Comment


      • #4
        Re: ACL configuration Problem on Router

        If you are using Windows Live Mail client to access Hotmail email, you have to block the http / https traffic to mail.services.live.com (207.46.8.254, 207.46.9.126, 207.46.9.254, 207.46.8.126). It can be archived using the proper extended ALs.
        Regards,
        Csaba Papp
        MCSA+messaging, MCSE, CCNA
        ...............................
        Remember to give credit where credit is due and leave reputation points where appropriate
        .................................

        Comment

        Working...
        X