12-16-2009 04:16 AM - edited 03-04-2019 06:59 AM
Hi all,
My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:
access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny ip host xxx.xxx.x.ss any
access-list 109 permit ip any any
interface GigabitEthernet0/0
ip access-group 109 out
The show access-list 109 shows me that is not working well. Someone knows the reason?
Thanks a lot
Customer#sh access-lists 109
Extended IP access list 109
10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
30 deny ip host xxx.xxx.x.xx any (2566 matches)
40 permit ip any any (4945535 matches)
Solved! Go to Solution.
12-16-2009 04:28 AM
emilio1973 wrote:
Hi all,
My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:
access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny ip host xxx.xxx.x.ss any
access-list 109 permit ip any anyinterface GigabitEthernet0/0
ip access-group 109 out
The show access-list 109 shows me that is not working well. Someone knows the reason?
Thanks a lot
Customer#sh access-lists 109
Extended IP access list 109
10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
30 deny ip host xxx.xxx.x.xx any (2566 matches)
40 permit ip any any (4945535 matches)
It's difficult to say without understanding the topology but where is the source host in relation to gi0/0 ? Are you sure you have applied the acl to
1) the right interface
2) the right direction on the interface
Jon
12-16-2009 10:36 PM
There is a problem in the deny statement of the access list:
access-list 109 deny ip host xxx.xxx.x.ss any
Will deny traffic to any other hosts too. You need to replace this with:
access-list 109 deny ip host SRCIP host DSTIP
by behind Gi0 / 0 do you mean that g0/0 faces the foreign address?
by not working well what do you mean? what are the results of testing connectivity?
you should use some addresses for client host and foreign host so we can better understand.
You may also want to write an access list to go "in" on the same interface to filter traffic coming from the foreign host.
12-16-2009 04:28 AM
emilio1973 wrote:
Hi all,
My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:
access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny ip host xxx.xxx.x.ss any
access-list 109 permit ip any anyinterface GigabitEthernet0/0
ip access-group 109 out
The show access-list 109 shows me that is not working well. Someone knows the reason?
Thanks a lot
Customer#sh access-lists 109
Extended IP access list 109
10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
30 deny ip host xxx.xxx.x.xx any (2566 matches)
40 permit ip any any (4945535 matches)
It's difficult to say without understanding the topology but where is the source host in relation to gi0/0 ? Are you sure you have applied the acl to
1) the right interface
2) the right direction on the interface
Jon
12-16-2009 06:17 AM
12-16-2009 10:36 PM
There is a problem in the deny statement of the access list:
access-list 109 deny ip host xxx.xxx.x.ss any
Will deny traffic to any other hosts too. You need to replace this with:
access-list 109 deny ip host SRCIP host DSTIP
by behind Gi0 / 0 do you mean that g0/0 faces the foreign address?
by not working well what do you mean? what are the results of testing connectivity?
you should use some addresses for client host and foreign host so we can better understand.
You may also want to write an access list to go "in" on the same interface to filter traffic coming from the foreign host.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide