Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Blocking outgoing port on Cisco 2801

Posted on 2010-09-07
4
Medium Priority
?
611 Views
Last Modified: 2013-11-30
I'm attempting to block all outgoing SMTP traffic on a given local range, but it simply isn't working.

All DHCP clients on my network are in the 10.3.3.x (255.255.0.0) range, and I'm wanting to keep them from contacting any mail server outside the network, so I did this:

# Interface to LAN
interface FastEthernet0/0
 ip address 10.3.0.1 255.255.0.0
 ip nat inside

# Interface to Internet
interface FastEthernet0/1
 ip address dhcp
 ip access-group 102 out
 ip nat outside

access-list 102 deny   tcp 10.3.3.0 0.0.0.255 any eq smtp
access-list 102 permit ip any any

I also tried switching the order of the permit and deny lines just to see if it would make a difference, it doesn't, but if the permit line is gone the DHCP clients cease to be able to access the Internet, so I know the ACL works at least.

So, what am I doing wrong? I've googled around like crazy and it seems like I have the ACL line correct.
0
Comment
Question by:brokenlaptop
  • 2
4 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33623660
Take a look at:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

outbound is checked after NAT; you are better off with:

interface FastEthernet0/1
no  ip access-group 102 out

interface FastEthernet0/0
 ip access-group 102 out

Billy

0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 2000 total points
ID: 33623662
sorry:

this one:

interface FastEthernet0/0
 ip access-group 102 in
0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33625417
Yes, absolutly. Or replace with :
access-list 102 deny   tcp any any eq smtp
access-list 102 permit ip any any
0
 

Author Closing Comment

by:brokenlaptop
ID: 33628182
Worked like a charm!
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question