Solved

Blocking outgoing port on Cisco 2801

Posted on 2010-09-07
4
603 Views
Last Modified: 2013-11-30
I'm attempting to block all outgoing SMTP traffic on a given local range, but it simply isn't working.

All DHCP clients on my network are in the 10.3.3.x (255.255.0.0) range, and I'm wanting to keep them from contacting any mail server outside the network, so I did this:

# Interface to LAN
interface FastEthernet0/0
 ip address 10.3.0.1 255.255.0.0
 ip nat inside

# Interface to Internet
interface FastEthernet0/1
 ip address dhcp
 ip access-group 102 out
 ip nat outside

access-list 102 deny   tcp 10.3.3.0 0.0.0.255 any eq smtp
access-list 102 permit ip any any

I also tried switching the order of the permit and deny lines just to see if it would make a difference, it doesn't, but if the permit line is gone the DHCP clients cease to be able to access the Internet, so I know the ACL works at least.

So, what am I doing wrong? I've googled around like crazy and it seems like I have the ACL line correct.
0
Comment
Question by:brokenlaptop
  • 2
4 Comments
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
Take a look at:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

outbound is checked after NAT; you are better off with:

interface FastEthernet0/1
no  ip access-group 102 out

interface FastEthernet0/0
 ip access-group 102 out

Billy

0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
Comment Utility
sorry:

this one:

interface FastEthernet0/0
 ip access-group 102 in
0
 
LVL 2

Expert Comment

by:nblancpain
Comment Utility
Yes, absolutly. Or replace with :
access-list 102 deny   tcp any any eq smtp
access-list 102 permit ip any any
0
 

Author Closing Comment

by:brokenlaptop
Comment Utility
Worked like a charm!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now