Problem with ACL

Answered Question
Dec 16th, 2009
User Badges:

Hi all,


My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:


access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny   ip host xxx.xxx.x.ss any
access-list 109 permit ip any any


interface GigabitEthernet0/0

ip access-group 109 out


The show access-list 109  shows me that is not working well. Someone knows the reason?


Thanks a lot


Customer#sh access-lists 109
Extended IP access list 109
    10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
    20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
    30 deny ip host xxx.xxx.x.xx any (2566 matches)
    40 permit ip any any (4945535 matches)

Correct Answer by colin.farley about 7 years 3 months ago

There is a problem in the deny statement of the access list:


access-list 109 deny   ip host xxx.xxx.x.ss any


Will deny traffic to any other hosts too.  You need to replace this with:


access-list 109 deny ip host SRCIP host DSTIP


by behind Gi0 / 0 do you mean that g0/0 faces the foreign address?

by not working well what do you mean?  what are the results of testing connectivity?

you should use some addresses for client host and foreign host so we can better understand.

You may also want to write an access list to go "in" on the same interface to filter traffic coming from the foreign host.

Correct Answer by Jon Marshall about 7 years 3 months ago

emilio1973 wrote:


Hi all,


My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:


access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny   ip host xxx.xxx.x.ss any
access-list 109 permit ip any any


interface GigabitEthernet0/0

ip access-group 109 out


The show access-list 109  shows me that is not working well. Someone knows the reason?


Thanks a lot


Customer#sh access-lists 109
Extended IP access list 109
    10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
    20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
    30 deny ip host xxx.xxx.x.xx any (2566 matches)
    40 permit ip any any (4945535 matches)


It's difficult to say without understanding the topology but where is the source host in relation to gi0/0 ?  Are you sure you have applied the acl to


1) the right interface

2) the right direction on the interface


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 12/16/2009 - 04:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

emilio1973 wrote:


Hi all,


My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:


access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny   ip host xxx.xxx.x.ss any
access-list 109 permit ip any any


interface GigabitEthernet0/0

ip access-group 109 out


The show access-list 109  shows me that is not working well. Someone knows the reason?


Thanks a lot


Customer#sh access-lists 109
Extended IP access list 109
    10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
    20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
    30 deny ip host xxx.xxx.x.xx any (2566 matches)
    40 permit ip any any (4945535 matches)


It's difficult to say without understanding the topology but where is the source host in relation to gi0/0 ?  Are you sure you have applied the acl to


1) the right interface

2) the right direction on the interface


Jon

emilio1973 Wed, 12/16/2009 - 06:17
User Badges:

hi Jon

Thanks for answering. The source IP address is on the internal network (behind Gi0 / 0). Your answer made me think that it should apply the access list on the ethernet interface (LAN) and sense input (IN). I will try it and now I discuss the results you.

Thanks
Correct Answer
colin.farley Wed, 12/16/2009 - 22:36
User Badges:

There is a problem in the deny statement of the access list:


access-list 109 deny   ip host xxx.xxx.x.ss any


Will deny traffic to any other hosts too.  You need to replace this with:


access-list 109 deny ip host SRCIP host DSTIP


by behind Gi0 / 0 do you mean that g0/0 faces the foreign address?

by not working well what do you mean?  what are the results of testing connectivity?

you should use some addresses for client host and foreign host so we can better understand.

You may also want to write an access list to go "in" on the same interface to filter traffic coming from the foreign host.

Actions

This Discussion