Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
3
Replies

Problem with ACL

Go to solution
emilio1973
Level 1
Level 1

‎12-16-2009 04:16 AM - edited ‎03-04-2019 06:59 AM

Hi all,

My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:

access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny   ip host xxx.xxx.x.ss any
access-list 109 permit ip any any

interface GigabitEthernet0/0

ip access-group 109 out

The show access-list 109  shows me that is not working well. Someone knows the reason?

Thanks a lot

Customer#sh access-lists 109
Extended IP access list 109
    10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
    20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
    30 deny ip host xxx.xxx.x.xx any (2566 matches)
    40 permit ip any any (4945535 matches)

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-16-2009 04:28 AM 

emilio1973 wrote:
Hi all,
My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:
access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny   ip host xxx.xxx.x.ss any
access-list 109 permit ip any any
interface GigabitEthernet0/0
 ip access-group 109 out
The show access-list 109  shows me that is not working well. Someone knows the reason?
Thanks a lot
Customer#sh access-lists 109
Extended IP access list 109
    10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
    20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
    30 deny ip host xxx.xxx.x.xx any (2566 matches)
    40 permit ip any any (4945535 matches)

It's difficult to say without understanding the topology but where is the source host in relation to gi0/0 ?  Are you sure you have applied the acl to

1) the right interface

2) the right direction on the interface

Jon

View solution in original post

0 Helpful

Go to solution
colin.farley
Level 1
Level 1

‎12-16-2009 10:36 PM

There is a problem in the deny statement of the access list:

access-list 109 deny   ip host xxx.xxx.x.ss any

Will deny traffic to any other hosts too.  You need to replace this with:

access-list 109 deny ip host SRCIP host DSTIP

by behind Gi0 / 0 do you mean that g0/0 faces the foreign address?

by not working well what do you mean?  what are the results of testing connectivity?

you should use some addresses for client host and foreign host so we can better understand.

You may also want to write an access list to go "in" on the same interface to filter traffic coming from the foreign host.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-16-2009 04:28 AM 

emilio1973 wrote:
Hi all,
My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:
access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny   ip host xxx.xxx.x.ss any
access-list 109 permit ip any any
interface GigabitEthernet0/0
 ip access-group 109 out
The show access-list 109  shows me that is not working well. Someone knows the reason?
Thanks a lot
Customer#sh access-lists 109
Extended IP access list 109
    10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
    20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
    30 deny ip host xxx.xxx.x.xx any (2566 matches)
    40 permit ip any any (4945535 matches)

It's difficult to say without understanding the topology but where is the source host in relation to gi0/0 ?  Are you sure you have applied the acl to

1) the right interface

2) the right direction on the interface

Jon

0 Helpful

Go to solution
emilio1973
Level 1
Level 1
In response to Jon Marshall

‎12-16-2009 06:17 AM

hi Jon

Thanks for answering. The source IP address is on the internal network (behind Gi0 / 0). Your answer made me think that it should apply the access list on the ethernet interface (LAN) and sense input (IN). I will try it and now I discuss the results you.

Thanks
0 Helpful

Go to solution
colin.farley
Level 1
Level 1

‎12-16-2009 10:36 PM

There is a problem in the deny statement of the access list:

access-list 109 deny   ip host xxx.xxx.x.ss any

Will deny traffic to any other hosts too.  You need to replace this with:

access-list 109 deny ip host SRCIP host DSTIP

by behind Gi0 / 0 do you mean that g0/0 faces the foreign address?

by not working well what do you mean?  what are the results of testing connectivity?

you should use some addresses for client host and foreign host so we can better understand.

You may also want to write an access list to go "in" on the same interface to filter traffic coming from the foreign host.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card