Solved

Blocking outgoing port on Cisco 2801

Posted on 2010-09-07
4
607 Views
Last Modified: 2013-11-30
I'm attempting to block all outgoing SMTP traffic on a given local range, but it simply isn't working.

All DHCP clients on my network are in the 10.3.3.x (255.255.0.0) range, and I'm wanting to keep them from contacting any mail server outside the network, so I did this:

# Interface to LAN
interface FastEthernet0/0
 ip address 10.3.0.1 255.255.0.0
 ip nat inside

# Interface to Internet
interface FastEthernet0/1
 ip address dhcp
 ip access-group 102 out
 ip nat outside

access-list 102 deny   tcp 10.3.3.0 0.0.0.255 any eq smtp
access-list 102 permit ip any any

I also tried switching the order of the permit and deny lines just to see if it would make a difference, it doesn't, but if the permit line is gone the DHCP clients cease to be able to access the Internet, so I know the ACL works at least.

So, what am I doing wrong? I've googled around like crazy and it seems like I have the ACL line correct.
0
Comment
Question by:brokenlaptop
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33623660
Take a look at:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

outbound is checked after NAT; you are better off with:

interface FastEthernet0/1
no  ip access-group 102 out

interface FastEthernet0/0
 ip access-group 102 out

Billy

0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 33623662
sorry:

this one:

interface FastEthernet0/0
 ip access-group 102 in
0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33625417
Yes, absolutly. Or replace with :
access-list 102 deny   tcp any any eq smtp
access-list 102 permit ip any any
0
 

Author Closing Comment

by:brokenlaptop
ID: 33628182
Worked like a charm!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2960 port config for both PC & SIP phone using QoS 2 55
upgrade Cisco Aironet AP 3 40
Advice on router and switch 25 79
pfsense upgrade from 2.2.6 to 2.3.3 28 76
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

736 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question