Link to home
Create AccountLog in
Avatar of randyintejas
randyintejas

asked on

Cisco 12.3 access-list deny

Can someone tell me why this access list will not deny port 25 for xx.xx.xx.222 address and tell me how to fix it please
Cisco 3600 IOS 12.3
interface Multilink1
 description GBLX Internet
 ip address xx.xxx.xxx.238 255.255.255.252
 ip nat outside
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 1
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation ppp
 down-when-looped
 no fair-queue
 service-module t1 timeslots 1-24
 service-module t1 fdl ansi
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation ppp
 down-when-looped
 no fair-queue
 service-module t1 timeslots 1-24
 service-module t1 fdl ansi
 ppp multilink
 ppp multilink group 1
!
ip nat inside source list 120 interface Multilink1 overload
ip nat inside source static tcp 192.168.1.178 80 xxx.xxx.xxx.224 80 extendable
ip nat inside source static 192.168.1.222 xxx.xxx.xxx.222 extendable
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.237
!
!
access-list 120 deny tcp host 192.168.1.222 any eq smtp
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

You need to use an interface access-list.

Are you trying to deny inbound smtp to the server from the Internet? If so, add this:

conf t
access-list 150 deny tcp any host xxx.xxx.xxx.222 eq 25
access-list 150 permit ip any any

int multilink1
ip access-group 150 in

Avatar of randyintejas
randyintejas

ASKER

no luck
Can you post your new config?

You are trying to deny Internet hosts from connecting to xxx.xxx.xxx.222 on port 25, right?  Or, are you trying to deny that server from connecting to hosts on port 25 (sending mail)?
trying to deny Internet hosts from connecting to xxx.xxx.xxx.222 on port 25


interface Multilink1
 description GBLX Internet
 ip address xx.xx.xx.238 255.255.255.252
 ip access-group 150 in
 ip nat outside
 ppp multilink
 ppp multilink fragment disable
 ppp multilink group 1
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation ppp
 down-when-looped
 no fair-queue
 service-module t1 timeslots 1-24
 service-module t1 fdl ansi
 ppp multilink
 ppp multilink group 1
!
interface Serial0/1
 no ip address
 no ip redirects
 no ip proxy-arp
 encapsulation ppp
 down-when-looped
 no fair-queue
 service-module t1 timeslots 1-24
 service-module t1 fdl ansi
 ppp multilink
 ppp multilink group 1
!
ip nat inside source list 120 interface Multilink1 overload
ip nat inside source static tcp 192.168.1.178 80 xx.xx.xx.224 80 extendable
ip nat inside source static 192.168.1.222 xx.xx.xx.222 (external IP) extendable
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 64.213.104.237
!
!
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 deny tcp any host xxx.xxx.xxx.222 (internal ip) eq 25
access-list 150 permit ip any any
You need to use the external IP in the access-list, not the Internet IP:

conf t
no access-list 150
access-list 150 deny tcp any host xxx.xxx.xxx.222 (external ip) eq 25
access-list 150 permit ip any any
That should have read:

You need to use the external IP in the access-list, not the internal IP:
                                                                                             ^^^^^^^
conf t
no access-list 150
access-list 150 deny tcp any host xxx.xxx.xxx.222 (external ip) eq 25
access-list 150 permit ip any any
that just blocked access to my router and now I'm driving 2 hours each way to fix it before everyone shows up for work.
Sorry, didn't know you were doing this remotely.
You can have someone reboot the router if possible to return it to the previous state.
no.. heading out. Thanks
Avatar of Don Johnston
Are you trying to block smtp traffic going TO or coming FROM xxx.xxx.xxx.222

Beyond that, you didn't apply the ACL to an interface.
I am trying to block smtp going TO
ASKER CERTIFIED SOLUTION
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
In the future, please don't accept my answer if the grade you're going to give is a "C".

From the help pages:
What's the right grade to give?        
Grading at Experts Exchange is not like school. It's more like the "10-point Must" system in professional boxing; in other words, an answer is worth an A, unless it doesn't resolve your issue. If it requires you to do a little more research, or figure out one more piece of code, then it's worth a B. If you think it's not worth a B, the custom is to offer the Experts an opportunity to earn a better grade.

As a side note it is good practice to never make changes to a firewall from a remote location unless you

A) have another route into the network via different ip and router
B) have somebody on  site who can restart the firewall which resets it to previous settings
C) are prepared to drive to the location to make fixes on site.

Been there done that,  and it isn't fun....locked myself out of a network in Calgary while I was in Edmonton which is 300km away