Solved

Access-list smtp

Posted on 2009-05-04
11
727 Views
Last Modified: 2013-11-30
When I apply this acl to the external interface connected to the internet it breaks all traffic.

int ser 0/0/0
ip access-group 101 in

Any ideas?
Extended IP access list 101

    10 permit tcp 0.0.0.0 0.0.3.255 0.0.0.0 0.0.0.3 eq smtp

    20 permit tcp 0.0.0.0 0.0.7.255 0.0.0.0 0.0.0.3 eq smtp

    30 deny tcp any any eq smtp

Open in new window

0
Comment
Question by:kitbarr
  • 6
  • 4
11 Comments
 
LVL 8

Expert Comment

by:akalbfell
ID: 24296580
what are you trying to do? use the access list to only permit SMTP traffic or you want http/https traffic to pass through also?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24296739
Add permit ip any any at the bottom since there is any implicit "deny all" at the end.

permit tcp 0.0.0.0 0.0.3.255 0.0.0.0 0.0.0.3 eq smtp
permit tcp 0.0.0.0 0.0.7.255 0.0.0.0 0.0.0.3 eq smtp
deny tcp any any eq smtp
permit ip any any
0
 

Author Comment

by:kitbarr
ID: 24298058
adding permit ip any any allows traffic to flow however the deny tcp any any eq smtp seems to be catching all smtp traffic. the first two lines don't seem to be working.
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24298125
what are you trying to do?
permit SMTP traffic from one host out to the internet but block any SMTP traffic from coming out from another machine?

0
 

Author Comment

by:kitbarr
ID: 24298159
I want to allow all smtp traffic out however only allow smtp traffic in from mx logic. 208.65.144.0/21 and 208.81.64.0/22 is what I am trying to allow in.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:kitbarr
ID: 24298168
Yes and I would also like to allow all other http traffic. I'm only trying to block smtp from the outside in.
0
 

Author Comment

by:kitbarr
ID: 24298187
This is what it looks like right now
GWAQUA(config-ext-nacl)#do sh access-list

Extended IP access list 102

    40 permit ip any any (600928 matches)

Open in new window

0
 
LVL 8

Accepted Solution

by:
akalbfell earned 500 total points
ID: 24298261
gotcha...

permit tcp 208.81.64.0 0.0.3.255 any eq smtp
permit tcp 208.65.144.0 0.0.7.255 any eq smtp
deny tcp any any eq smtp
permit ip any any

applied to the outside interface coming in

0
 

Author Comment

by:kitbarr
ID: 24298526
That worked perfectly. What is the difference between
access-list 101 permit tcp 0.0.0.0 0.0.3.255 eq smtp any eq smtp and
access-list 101 permit tcp 208.65.144.0 0.0.3.255 any eq smtp
0
 

Author Closing Comment

by:kitbarr
ID: 31577607
This person kept right on at answering my questions as we went. Solved my problem and also helped me understand a little bit more.
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24298665
permit tcp 0.0.0.0 0.0.3.255 0.0.0.0 0.0.0.3 eq smtp
that is saying permit traffic from any host in the 255.255.252.0 subnet going to any host in the 255.255.255.252 subnet

access-list 101 permit tcp 208.65.144.0 0.0.3.255 any eq smtp
this is more specifically saying permit from the 208.65.144.0/22 network to any host in your network

Glad to help!

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding in Cisco RV215w 2 46
Website Routing Issue 3 46
Static Route 22 46
Classlful vs Classless subneting 18 60
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now