Blocking outgoing port on Cisco 2801

I'm attempting to block all outgoing SMTP traffic on a given local range, but it simply isn't working.

All DHCP clients on my network are in the 10.3.3.x (255.255.0.0) range, and I'm wanting to keep them from contacting any mail server outside the network, so I did this:

# Interface to LAN
interface FastEthernet0/0
 ip address 10.3.0.1 255.255.0.0
 ip nat inside

# Interface to Internet
interface FastEthernet0/1
 ip address dhcp
 ip access-group 102 out
 ip nat outside

access-list 102 deny   tcp 10.3.3.0 0.0.0.255 any eq smtp
access-list 102 permit ip any any

I also tried switching the order of the permit and deny lines just to see if it would make a difference, it doesn't, but if the permit line is gone the DHCP clients cease to be able to access the Internet, so I know the ACL works at least.

So, what am I doing wrong? I've googled around like crazy and it seems like I have the ACL line correct.
brokenlaptopAsked:
Who is Participating?
 
rfc1180Commented:
sorry:

this one:

interface FastEthernet0/0
 ip access-group 102 in
0
 
rfc1180Commented:
Take a look at:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

outbound is checked after NAT; you are better off with:

interface FastEthernet0/1
no  ip access-group 102 out

interface FastEthernet0/0
 ip access-group 102 out

Billy

0
 
nblancpainCommented:
Yes, absolutly. Or replace with :
access-list 102 deny   tcp any any eq smtp
access-list 102 permit ip any any
0
 
brokenlaptopAuthor Commented:
Worked like a charm!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.