?
Solved

Blocking outgoing port on Cisco 2801

Posted on 2010-09-07
4
Medium Priority
?
612 Views
Last Modified: 2013-11-30
I'm attempting to block all outgoing SMTP traffic on a given local range, but it simply isn't working.

All DHCP clients on my network are in the 10.3.3.x (255.255.0.0) range, and I'm wanting to keep them from contacting any mail server outside the network, so I did this:

# Interface to LAN
interface FastEthernet0/0
 ip address 10.3.0.1 255.255.0.0
 ip nat inside

# Interface to Internet
interface FastEthernet0/1
 ip address dhcp
 ip access-group 102 out
 ip nat outside

access-list 102 deny   tcp 10.3.3.0 0.0.0.255 any eq smtp
access-list 102 permit ip any any

I also tried switching the order of the permit and deny lines just to see if it would make a difference, it doesn't, but if the permit line is gone the DHCP clients cease to be able to access the Internet, so I know the ACL works at least.

So, what am I doing wrong? I've googled around like crazy and it seems like I have the ACL line correct.
0
Comment
Question by:brokenlaptop
  • 2
4 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33623660
Take a look at:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

outbound is checked after NAT; you are better off with:

interface FastEthernet0/1
no  ip access-group 102 out

interface FastEthernet0/0
 ip access-group 102 out

Billy

0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 2000 total points
ID: 33623662
sorry:

this one:

interface FastEthernet0/0
 ip access-group 102 in
0
 
LVL 2

Expert Comment

by:nblancpain
ID: 33625417
Yes, absolutly. Or replace with :
access-list 102 deny   tcp any any eq smtp
access-list 102 permit ip any any
0
 

Author Closing Comment

by:brokenlaptop
ID: 33628182
Worked like a charm!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

592 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question