Delete Standard IP Access List 1 prevent outgoing web Access

I configured my office cisco router 877 yesterday to block  port 25  just like you said.  When I do a show access-lists '' , I get the following :

Standard IP access list 1
     10 permit 192.168.1.0 wilodcard bits 0.0.0.255 ( 7453 matches)
Extended IP access list 100
     10 permit tcp host 192.168.1.2 any eq smtp (1818926 matches)
      20 deny tcp any any eq smtp
      30 permit ip any any ( 242699 matches)
I dont see any matches for 20 deny tcp any any eq smtp",  the result seems too good to be true.  Do you think  I have missed out something.   ( I have just get our IP delisted for SPAM after  one of our PC was infected with rustRock SpamBOT. I have re-formated the PC and then apply the access-list  100 "to the incoming interface fron internal network like so :  ip access-group 100 in  )

My question is :  Why can't  I delete the Standart ip access-list 1  ?  It seem to be redundant, as Extended ACL is alreday in place.   Because when I deleted access-list 1 by using command : no ip access-list 1,  our internal PCs internet explorer call of a sudden cant connect to the internet web( http:).  

Thanks for your help
Er Ang Hooa
eranghooa@gmail.com















     

eranghooaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

greg wardSystems EngineerCommented:
The access-list is in use.
Please post your config with passwords removed.
 
Greg
0
eranghooaAuthor Commented:

Mr Greg,
Thanks for yr help. I am appending the config file below . Grateful if you highlight areas I have done it incorrrectly.

ErAng Hooa

Exch01#show running-config
Building configuration...

Current configuration : 3982 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Exch01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings

!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
!
no ip bootp server
ip domain name keonghong.com
ip name-server 192.168.1.2
ip name-server 165.21.83.88
!
!
crypto pki trustpoint TP-self-signed-1757292515
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1757292515
 revocation-check none
 rsakeypair TP-self-signed-1757292515
!
!
crypto pki certificate chain TP-self-signed-1757292515
 certificate self-signed 01

    quit


interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip address 203.125.87.122 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 pvc 8/35
  protocol ip 203.125.87.121 broadcast
  encapsulation aal5snap
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description  ip address 192.168.1.99 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.2 25 interface ATM0.1 25
ip nat inside source static tcp 192.168.1.2 443 interface ATM0.1 443
ip nat inside source static tcp 192.168.1.2 3389 interface ATM0.1 3389
ip nat inside source static tcp 192.168.1.2 987 interface ATM0.1 987
ip nat inside source static tcp 192.168.1.2 1723 interface ATM0.1 1723
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit tcp host 192.168.1.2 any eq smtp
access-list 100 deny   tcp any any eq smtp
access-list 100 permit ip any any
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end


0
greg wardSystems EngineerCommented:
ip nat inside source list 1 interface ATM0.1 overload

list 1  is using your access-list 1 permit 192.168.1.0 0.0.0.255
 
Greg


0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

eranghooaAuthor Commented:
Mr Greg
hanks, I am beginning to see the logic for access list 1.  Not quite sure the term overload ?  My cisco 877 router is configured to have only 2 active interfaces, ie. 1 internal Vlan1 and 1 external ATM0.1,   does overload mean access list 1 is applied to both Vlan1 in and ATM0.1  out ?

Incidentally,  I noticed this evening  ' 20 deny tcp any any eq smtp"  has 72 matches.  See latest show acces list :

Exch01#show access-list
Standard IP access list 1
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (18650 matches)
Extended IP access list 100
    10 permit tcp host 192.168.1.2 any eq smtp (3231540 matches)
    20 deny tcp any any eq smtp (72 matches)
    30 permit ip any any (455787 matches)

May be the access list 100 is working after all.  But I am not quite certain.  Appreciate you can cast further light.

Thanks for enlightening me.

Er Ang Hooa
eranghooa@gmail.com
 
0
sidetrackedCommented:
overload means that all your users can use the WAN IP as their NAT IP. if u remove the overload statement only one user may be able to access the Internet.

your access-list 100 is probably working fine!
0
greg wardSystems EngineerCommented:
nat is configured on your atm0.1 interface
ip nat outside
you also have vlan1 with
ip nat inside
the ip nat overload command lets all inside machines to use the outside interface(acces the internet)
to see what this is doing use the command
show ip nat translations
to see which hosts are connected to which machines on the internet.
 
Greg
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
eranghooaAuthor Commented:
Mr Greg,
I  tried show ip nat translations.  The result is truely awesome. I am  thoroughly convinced access list  100 is  working.   Thank you so much.
ER Ang Hooa
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.