Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505: ACL to allow Email traffic only to DHCP clients?

Unanswered Question
Nov 15th, 2011
User Badges:

Greetings All,

So here's what I think I should do to give email access only to a segment of addresses of my inside network.

1) Create a network object for 62 machines that will represent my dhcp clients. I plan to use So I will use address with netmask Then set DHCP server to service this address range.

2) Create an ACL which will Permit Any to use tcp port 110 (pop3) to get to the outside. Which leads me to question #1:

How do I permit the source "Any" to communicate with "Any Less Secure Networks" like the implicit rule that gets zapped once I create new ACL? Is "Any Less Secure Network" implied by the "Any" destination?

3) Create an ACL which will Deny my DHCP range to talk to the outside.

4) Create an ACL which will Permit Any to talk to Any Less Secure Network(essentially recreating the implicit Permit ACL that got zapped).

Do you think this will work?

Thanks for any input. I truly do appreciate it.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Julio Carvajal Tue, 11/15/2011 - 19:07
User Badges:
  • Purple, 4500 points or more

Hello John,

Lets start saying that you can only have one access-group on the outbound direccion on any interface, so as soon as you apply an ACL on that interface you are going to loose the access to any less secure network unless you configure that access on an ACE ( Access List Entry).

So if what you want to do is just to allow the DHCP clients to talk to servers or clients on less secures networks on port 110 that is what you need to do  ( use step # 2 ) which by the way has implied on the any  the access to any other lower security level interface. So yes creating an acl to do that is going to work.

Hope this helps,

Please rate helpful post.




This Discussion