• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 740
  • Last Modified:

Access-list smtp

When I apply this acl to the external interface connected to the internet it breaks all traffic.

int ser 0/0/0
ip access-group 101 in

Any ideas?
Extended IP access list 101
    10 permit tcp 0.0.0.0 0.0.3.255 0.0.0.0 0.0.0.3 eq smtp
    20 permit tcp 0.0.0.0 0.0.7.255 0.0.0.0 0.0.0.3 eq smtp
    30 deny tcp any any eq smtp

Open in new window

0
kitbarr
Asked:
kitbarr
  • 6
  • 4
1 Solution
 
akalbfellCommented:
what are you trying to do? use the access list to only permit SMTP traffic or you want http/https traffic to pass through also?
0
 
JFrederick29Commented:
Add permit ip any any at the bottom since there is any implicit "deny all" at the end.

permit tcp 0.0.0.0 0.0.3.255 0.0.0.0 0.0.0.3 eq smtp
permit tcp 0.0.0.0 0.0.7.255 0.0.0.0 0.0.0.3 eq smtp
deny tcp any any eq smtp
permit ip any any
0
 
kitbarrAuthor Commented:
adding permit ip any any allows traffic to flow however the deny tcp any any eq smtp seems to be catching all smtp traffic. the first two lines don't seem to be working.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
akalbfellCommented:
what are you trying to do?
permit SMTP traffic from one host out to the internet but block any SMTP traffic from coming out from another machine?

0
 
kitbarrAuthor Commented:
I want to allow all smtp traffic out however only allow smtp traffic in from mx logic. 208.65.144.0/21 and 208.81.64.0/22 is what I am trying to allow in.
0
 
kitbarrAuthor Commented:
Yes and I would also like to allow all other http traffic. I'm only trying to block smtp from the outside in.
0
 
kitbarrAuthor Commented:
This is what it looks like right now
GWAQUA(config-ext-nacl)#do sh access-list
Extended IP access list 102
    40 permit ip any any (600928 matches)

Open in new window

0
 
akalbfellCommented:
gotcha...

permit tcp 208.81.64.0 0.0.3.255 any eq smtp
permit tcp 208.65.144.0 0.0.7.255 any eq smtp
deny tcp any any eq smtp
permit ip any any

applied to the outside interface coming in

0
 
kitbarrAuthor Commented:
That worked perfectly. What is the difference between
access-list 101 permit tcp 0.0.0.0 0.0.3.255 eq smtp any eq smtp and
access-list 101 permit tcp 208.65.144.0 0.0.3.255 any eq smtp
0
 
kitbarrAuthor Commented:
This person kept right on at answering my questions as we went. Solved my problem and also helped me understand a little bit more.
0
 
akalbfellCommented:
permit tcp 0.0.0.0 0.0.3.255 0.0.0.0 0.0.0.3 eq smtp
that is saying permit traffic from any host in the 255.255.252.0 subnet going to any host in the 255.255.255.252 subnet

access-list 101 permit tcp 208.65.144.0 0.0.3.255 any eq smtp
this is more specifically saying permit from the 208.65.144.0/22 network to any host in your network

Glad to help!

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now