Solved

Access list blocking out bound mail...

Posted on 2004-04-23
3
306 Views
Last Modified: 2010-04-17
I am trying to setup an ACL that will allow e-mail (Exchange 5.5) out usually port 25 but when this ACL is applied we still can receive mail but out going mail is blocked.  I have applied the config to the serial port as soon as the config is applied to the serial port no mail flows.  I am missing a couple of ports can anyone shed some light on what I am doing wrong?

Ip access-group 101 out
Ip access-group 101 in

Extended IP access list 101
    permit icmp any any echo
    permit icmp any any echo-reply
    permit icmp any any source-quench
    permit icmp any any packet-too-big
    permit icmp any any time-exceeded
    permit icmp any any unreachable
    permit tcp any any eq ftp-data
    permit tcp any any eq ftp
    permit tcp any any eq telnet
    permit tcp any any eq domain
    permit udp any any eq domain
    permit tcp any any eq www
    permit tcp any any eq 443
    permit tcp any any eq pop3
    permit tcp any any eq 143
    permit tcp any any eq 366
    permit tcp any any eq 389
    permit tcp any any eq 465
    permit tcp any any eq 636
    permit tcp any any eq 993
    permit tcp any any eq 995
    permit tcp any any eq 3389
    permit tcp any any eq 4899
    permit tcp any any eq 5222
    permit tcp any any eq 5223
    permit tcp any any eq smtp
    permit udp any any eq 25
0
Comment
Question by:JaysonJackson
  • 3
3 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10904182
mail (SMTP) is TCP port 25, not udp.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 10904233
Oops, you have that. Actually, here's the problem. You have to add something like this:
permit tcp any eq smtp any gt 1023

You aren't allowing return traffic from source port 25, which will want to talk to the high-numbered port that originated the session to port 25.
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 500 total points
ID: 10904256
Either that or add

permit tcp any any established

I'm assuming from your current list that security isn't an issue...
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Simultaneous work of Wi-Fi and LAN on Win10 laptop 4 68
ip igmp join-group 8 67
VOIP gateways - feedback 23 63
adjusting startup config 6 48
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question