asked on
Cisco 12.3 access-list deny
Can someone tell me why this access list will not deny port 25 for xx.xx.xx.222 address and tell me how to fix it please
Cisco 3600 IOS 12.3
interface Multilink1
description GBLX Internet
ip address xx.xxx.xxx.238 255.255.255.252
ip nat outside
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
down-when-looped
no fair-queue
service-module t1 timeslots 1-24
service-module t1 fdl ansi
ppp multilink
ppp multilink group 1
!
interface Serial0/1
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
down-when-looped
no fair-queue
service-module t1 timeslots 1-24
service-module t1 fdl ansi
ppp multilink
ppp multilink group 1
!
ip nat inside source list 120 interface Multilink1 overload
ip nat inside source static tcp 192.168.1.178 80 xxx.xxx.xxx.224 80 extendable
ip nat inside source static 192.168.1.222 xxx.xxx.xxx.222 extendable
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.237
!
!
access-list 120 deny tcp host 192.168.1.222 any eq smtp
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
Cisco 3600 IOS 12.3
interface Multilink1
description GBLX Internet
ip address xx.xxx.xxx.238 255.255.255.252
ip nat outside
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
down-when-looped
no fair-queue
service-module t1 timeslots 1-24
service-module t1 fdl ansi
ppp multilink
ppp multilink group 1
!
interface Serial0/1
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
down-when-looped
no fair-queue
service-module t1 timeslots 1-24
service-module t1 fdl ansi
ppp multilink
ppp multilink group 1
!
ip nat inside source list 120 interface Multilink1 overload
ip nat inside source static tcp 192.168.1.178 80 xxx.xxx.xxx.224 80 extendable
ip nat inside source static 192.168.1.222 xxx.xxx.xxx.222 extendable
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.237
!
!
access-list 120 deny tcp host 192.168.1.222 any eq smtp
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
Hardware FirewallsCisco
Last Comment
aoteoroa
ASKER
no luck
Can you post your new config?
You are trying to deny Internet hosts from connecting to xxx.xxx.xxx.222 on port 25, right? Or, are you trying to deny that server from connecting to hosts on port 25 (sending mail)?
You are trying to deny Internet hosts from connecting to xxx.xxx.xxx.222 on port 25, right? Or, are you trying to deny that server from connecting to hosts on port 25 (sending mail)?
ASKER
trying to deny Internet hosts from connecting to xxx.xxx.xxx.222 on port 25
interface Multilink1
description GBLX Internet
ip address xx.xx.xx.238 255.255.255.252
ip access-group 150 in
ip nat outside
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
down-when-looped
no fair-queue
service-module t1 timeslots 1-24
service-module t1 fdl ansi
ppp multilink
ppp multilink group 1
!
interface Serial0/1
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
down-when-looped
no fair-queue
service-module t1 timeslots 1-24
service-module t1 fdl ansi
ppp multilink
ppp multilink group 1
!
ip nat inside source list 120 interface Multilink1 overload
ip nat inside source static tcp 192.168.1.178 80 xx.xx.xx.224 80 extendable
ip nat inside source static 192.168.1.222 xx.xx.xx.222 (external IP) extendable
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 64.213.104.237
!
!
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 deny tcp any host xxx.xxx.xxx.222 (internal ip) eq 25
access-list 150 permit ip any any
interface Multilink1
description GBLX Internet
ip address xx.xx.xx.238 255.255.255.252
ip access-group 150 in
ip nat outside
ppp multilink
ppp multilink fragment disable
ppp multilink group 1
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
down-when-looped
no fair-queue
service-module t1 timeslots 1-24
service-module t1 fdl ansi
ppp multilink
ppp multilink group 1
!
interface Serial0/1
no ip address
no ip redirects
no ip proxy-arp
encapsulation ppp
down-when-looped
no fair-queue
service-module t1 timeslots 1-24
service-module t1 fdl ansi
ppp multilink
ppp multilink group 1
!
ip nat inside source list 120 interface Multilink1 overload
ip nat inside source static tcp 192.168.1.178 80 xx.xx.xx.224 80 extendable
ip nat inside source static 192.168.1.222 xx.xx.xx.222 (external IP) extendable
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 64.213.104.237
!
!
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 deny tcp any host xxx.xxx.xxx.222 (internal ip) eq 25
access-list 150 permit ip any any
You need to use the external IP in the access-list, not the Internet IP:
conf t
no access-list 150
access-list 150 deny tcp any host xxx.xxx.xxx.222 (external ip) eq 25
access-list 150 permit ip any any
conf t
no access-list 150
access-list 150 deny tcp any host xxx.xxx.xxx.222 (external ip) eq 25
access-list 150 permit ip any any
That should have read:
You need to use the external IP in the access-list, not the internal IP:
^^^^^^^
conf t
no access-list 150
access-list 150 deny tcp any host xxx.xxx.xxx.222 (external ip) eq 25
access-list 150 permit ip any any
You need to use the external IP in the access-list, not the internal IP:
^^^^^^^
conf t
no access-list 150
access-list 150 deny tcp any host xxx.xxx.xxx.222 (external ip) eq 25
access-list 150 permit ip any any
ASKER
that just blocked access to my router and now I'm driving 2 hours each way to fix it before everyone shows up for work.
Sorry, didn't know you were doing this remotely.
You can have someone reboot the router if possible to return it to the previous state.
ASKER
no.. heading out. Thanks
Are you trying to block smtp traffic going TO or coming FROM xxx.xxx.xxx.222
Beyond that, you didn't apply the ACL to an interface.
Beyond that, you didn't apply the ACL to an interface.
ASKER
I am trying to block smtp going TO
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
In the future, please don't accept my answer if the grade you're going to give is a "C".
From the help pages:
What's the right grade to give?
Grading at Experts Exchange is not like school. It's more like the "10-point Must" system in professional boxing; in other words, an answer is worth an A, unless it doesn't resolve your issue. If it requires you to do a little more research, or figure out one more piece of code, then it's worth a B. If you think it's not worth a B, the custom is to offer the Experts an opportunity to earn a better grade.
From the help pages:
What's the right grade to give?
Grading at Experts Exchange is not like school. It's more like the "10-point Must" system in professional boxing; in other words, an answer is worth an A, unless it doesn't resolve your issue. If it requires you to do a little more research, or figure out one more piece of code, then it's worth a B. If you think it's not worth a B, the custom is to offer the Experts an opportunity to earn a better grade.
As a side note it is good practice to never make changes to a firewall from a remote location unless you
A) have another route into the network via different ip and router
B) have somebody on site who can restart the firewall which resets it to previous settings
C) are prepared to drive to the location to make fixes on site.
Been there done that, and it isn't fun....locked myself out of a network in Calgary while I was in Edmonton which is 300km away
A) have another route into the network via different ip and router
B) have somebody on site who can restart the firewall which resets it to previous settings
C) are prepared to drive to the location to make fixes on site.
Been there done that, and it isn't fun....locked myself out of a network in Calgary while I was in Edmonton which is 300km away
Are you trying to deny inbound smtp to the server from the Internet? If so, add this:
conf t
access-list 150 deny tcp any host xxx.xxx.xxx.222 eq 25
access-list 150 permit ip any any
int multilink1
ip access-group 150 in