Q

Allow e-mail but limit browsing

I have two offices connected by a leased line. In the head office I have satellite link to ISP. I'm using Cisco 2620 router with three Ethernet and one Serial port. Satellite link is connected to one of the available Ethernet port two different networks are connected to two remaining Ethernet ports and serial port is connected to another router with 64 kbps leased line. In total, I have five different networks with one class A.

My aim is to allow all networks users to access internet except the users on Class A network and for Class A network users I want to allow only e-mail access i.e., pop3 and SMTP should cross and no browsing. Please need your to prepare access-list and nating command.
Thank you.
As far as an access list for permitting email and nothing else, that's pretty easy, you'll want something like this:

Access-list 100 permit tcp any any eq pop3
Access-list 100 permit tcp any any eq smtp
Access-list 100 permit icmp any any
Access-list 100 deny ip any any

Note that this access list allows ICMP though. This is a critical and often overlooked rule. If you don't allow ICMP, you will break Path MTU Discovery (PMTUD) which will break TCP sessions as well as other things that use large packets. If you want you can refine this to block ping and some other ICMP messages, but whatever you do, make sure you don't block ICMP Can't Fragment messages.

As far as NAT'ing commands, Cisco's NAT functionality can be quite complex depending on exactly what your needs are. Before starting you should take a look at this Cisco bulletin:

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm

Then work on building your configuration from there once you understand the concepts. It would be impossible to write a configuration for you without knowing a lot more about your network.
(Answered by Brandon Ross, VP of Operations, Sockeye Networks.)

This was first published in August 2002

Dig deeper on Network Security Best Practices and Products

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close