blocking outgoing smtp traffic on cisco 878

Hi Experts,
I face a challenge getting a cisco 878 to block all smtp traffic except for our mailserver.
I've read numerous articles, that point me to the following solution, which is configuring the following ACL's:
Extended IP access list 101
    10 permit tcp host 192.168.10.1 any eq smtp log (5187 matches)
    20 deny tcp any eq smtp any eq smtp log
    30 permit ip any any (373731 matches)
As you see 10 and 30 are actually filtering, but the desired one does not.

I really don't know what could be wrong here, so maybe there is a conlicting setting somewhere in the running config:
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 0 2/32
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.10.10 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address 80.127.150.73 255.255.255.248
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username bdsl@xs4all.nl password 7 071732184F0515
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.10.1 25 interface Dialer0 25
ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443
ip nat inside source static tcp 192.168.10.1 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.10.1 987 interface Dialer0 987
ip nat inside source list 101 interface Dialer0 overload
!
access-list 22 permit 255.255.255.248 0.0.0.7
access-list 22 permit 194.109.0.0 0.0.3.255
access-list 22 permit 192.168.0.0 0.0.255.255
access-list 101 remark SMTP outgoing
access-list 101 remark CCP_ACL Category=3
access-list 101 remark HVHSRV01
access-list 101 permit tcp host 192.168.10.1 any eq smtp log
access-list 101 remark block outgoing smtp
access-list 101 deny   tcp any eq smtp any eq smtp log
access-list 101 remark overig allowed
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
snmp-server community public RO 22

I hope you can help me with this, any help greatly appreciated
rgds
Willem
idealictAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marius GunnerudSenior Systems EngineerCommented:
remove the access list from vlan 1 and apply it on dialer 0 out
0
Ernie BeekExpertCommented:
Make the second line:
Deny TCP any any eq smtp log
That should do the trick.
0
idealictAuthor Commented:
Hi MAG03
Thnx for the quick reaction; I changed the lACL to the dialer 0 out

interface Dialer0
 ip address 80.127.150.73 255.255.255.248
 ip access-group 101 out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1

tested it by opening a telnet session to an external smtp server (smtp.xs4all.nl): still gets connected...
the other rules still seem to be working:
Standard IP access list 22
    10 permit 255.255.255.248, wildcard bits 0.0.0.7
    20 permit 194.109.0.0, wildcard bits 0.0.3.255
    30 permit 192.168.0.0, wildcard bits 0.0.255.255 (58 matches)
Extended IP access list 101
    10 permit tcp host 192.168.10.1 any eq smtp log (2 matches)
    20 deny tcp any eq smtp any eq smtp log
    30 permit ip any any (5362 matches)

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Ernie BeekExpertCommented:
It's not really necessary to have the access-list on the outside. packets are going through the device first before they get dropped (consuming CPU cycles) so just put it back to the inside.
And as I said, change that second line to:
deny tcp any any eq smtp log
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
idealictAuthor Commented:
Should have posted earlier....
0
idealictAuthor Commented:
erniebeek,
that did the trick, thanks a million! Livesaver...
Rgds
Willem
0
Ernie BeekExpertCommented:
Glad I could help :)

And thx for the points.
0
idealictAuthor Commented:
well deserved
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.