very simple access list need advise

Unanswered Question
Feb 19th, 2008
User Badges:

We recently purchase Mailwise service. It is a outsdie 3rd party filtering service.


They have instructed us to lock down the incoming smtp traffic to our network so that our email can be filtered. see below:


If you would like to configure your firewall or router to accept messages only from MailWise. Our network range is 216.75.199.0/24.

Please accept the entire Class C Range (.1 through .255) as part of a trusted host



Here is my access list i created with the group.


access-list 150 permit tcp 216.75.199.0 255.255.255.0 any eq smtp


access-group 150 in interface outside



Please let me know if this will do???



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shivlu jain Tue, 02/19/2008 - 11:41
User Badges:
  • Silver, 250 points or more

Please use wild card mask instead of subnet


like the given below


access-list 150 permit tcp 216.75.199.0 0.0.0.255 any eq smtp


regards

shivlu


Richard Burts Tue, 02/19/2008 - 12:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Shir


Shivlu makes a good suggestion that your mask was not correct. I will make an additional suggestion that if the access list is really as you have shown it then you will probably not like the result of applying that access list to the interface. Since the access list has only a single statement which permits SMTP from a particular range then all other traffic will be denied (because of the implied deny any at the bottom of every access list).


I suggest that you need to add these 2 lines to the access list before you apply it to the interface:

access-list 150 deny tcp any any eq smtp

access-list 150 permit ip any any


And all this assumes that there is no access list existing already on the interface. If there is an existing access list then this logic needs to be integrated into the existing list. If there is an existing list can you post its configuration?


HTH


Rick

Actions

This Discussion