very simple access list need advise

Unanswered Question
Feb 19th, 2008

We recently purchase Mailwise service. It is a outsdie 3rd party filtering service.

They have instructed us to lock down the incoming smtp traffic to our network so that our email can be filtered. see below:

If you would like to configure your firewall or router to accept messages only from MailWise. Our network range is 216.75.199.0/24.

Please accept the entire Class C Range (.1 through .255) as part of a trusted host

Here is my access list i created with the group.

access-list 150 permit tcp 216.75.199.0 255.255.255.0 any eq smtp

access-group 150 in interface outside

Please let me know if this will do???

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shivlu jain Tue, 02/19/2008 - 11:41

Please use wild card mask instead of subnet

like the given below

access-list 150 permit tcp 216.75.199.0 0.0.0.255 any eq smtp

regards

shivlu

Richard Burts Tue, 02/19/2008 - 12:01

Shir

Shivlu makes a good suggestion that your mask was not correct. I will make an additional suggestion that if the access list is really as you have shown it then you will probably not like the result of applying that access list to the interface. Since the access list has only a single statement which permits SMTP from a particular range then all other traffic will be denied (because of the implied deny any at the bottom of every access list).

I suggest that you need to add these 2 lines to the access list before you apply it to the interface:

access-list 150 deny tcp any any eq smtp

access-list 150 permit ip any any

And all this assumes that there is no access list existing already on the interface. If there is an existing access list then this logic needs to be integrated into the existing list. If there is an existing list can you post its configuration?

HTH

Rick

Actions

This Discussion