I have two offices connected by a leased line. In the head office I have satellite link to ISP. I'm using Cisco 2620 router with three Ethernet and one Serial port. Satellite link is connected to one of the available Ethernet port two different networks are connected to two remaining Ethernet ports and serial port is connected to another router with 64 kbps leased line. In total, I have five different networks with one class A.
My aim is to allow all networks users to access internet except the users on Class A network and for Class A network users I want to allow only e-mail access i.e., pop3 and SMTP should cross and no browsing. Please need your to prepare access-list and nating command.
As far as an access list for permitting email and nothing else, that's pretty easy, you'll want something like this:
Access-list 100 permit tcp any any eq pop3 Access-list 100 permit tcp any any eq smtp Access-list 100 permit icmp any any Access-list 100 deny ip any any
Note that this access list allows ICMP though. This is a critical and often overlooked rule. If you don't allow ICMP, you will break Path MTU Discovery (PMTUD) which will break TCP sessions as well as other things that use large packets. If you want you can refine this to block ping and some other ICMP messages, but whatever you do, make sure you don't block ICMP Can't Fragment messages.
As far as NAT'ing commands, Cisco's NAT functionality can be quite complex depending on exactly what your needs are. Before starting you should take a look at this Cisco bulletin:
Then work on building your configuration from there once you understand the concepts. It would be impossible to write a configuration for you without knowing a lot more about your network.
(Answered by Brandon Ross, VP of Operations, Sockeye Networks.)
Dig deeper on Network Security Best Practices and Products
Related Q&A from Retired Expert - Mark _Dargin1
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.