|
I think you could just add a section to the URL that you referenced.
An extended access-list can have a source port immediately following the
source IP/mask entries. It is just not commonly used.
access-list ### [permit/deny] [protocol] [source-address] [source-port] [destination-address] [destination-port] [options] or something like access-list 101 permit tcp any eq smtp host [your.smtp.svr.ip] gt 1023 I think this would allow tcp packets from any source IP originating
from port 25 that are destined for your SMTP server on a port above 1023.
I think this is correct, but I just tossed it up off the top of my head,
so someone correct me if I've oversimplified something. you might
also be able to use reflexive access lists, since your SMTP svr would be
the one opening the ports originally on outgoing mail, correct? Or
as someone else mentioned, maybe an 'established' command in a dynamic
access list. And some of these commands are dependent on the
version of IOS on your router. I think reflexive access lists came
around IOSv11.3 or 11.7. I'm rambling now, sorry.
Greg Baumgratz wrote: All messages are tcp. As for access list entries based on source port, is there any documentation that you know of? The only information I have is for destination port. Here's a good piece of information for cisco access lists for anyone not familiar: |
- Mail Transport ports Greg Baumgratz
- Re: Mail Transport ports Ted
- Re: Mail Transport ports Klint Gore
- Re: Mail Transport ports Greg Baumgratz
- Re: Mail Transport ports Greg Baumgratz
- Re: Mail Transport ports Ted
- Re: Mail Transport ports Rich Warren
