ACL - deny a host from inside to outside

kgtnewmedia · ‎06-28-2012

Hello,

I want to allow a single host to send smtp traffic (port 25) only to a specific network range. SMTP traffic to the rest of the internet should be denied. The host comes from the inside of the network. I've created the following ACL for the outside interface of the cisco router:

ACL:

! only allow host 77.77.208.5 to send smtp traffic to the network 77.77.192.0/19

access-list 102 permit tcp host 77.77.208.5 eq smtp 77.77.192.0 0.0.31.255

! deny smtp traffic from host 77.77.208.5 to the whole internet

access-list 102 deny tcp host 77.77.208.5 eq smtp any

! allow all other ip

access-list 102 permit ip any any

Config:

!

interface GigabitEthernet0/1.60

description External Interface to internet

encapsulation dot1Q 60

ip address 77.77.206.229 255.255.255.224

ip access-group 102 out

...

!

But it seems that the rules do not appear:

Extended IP access list 102

10 permit tcp host 77.77.208.5 eq smtp 77.77.192.0 0.0.31.255

20 deny tcp host 77.77.208.5 eq smtp any

30 permit ip any any (144308583 matches)

Any hints?

Thanks,

Thomas

Jennifer Halim · ‎06-28-2012

"eq smtp" should be at the end of the access-list as follows:

10 permit tcp host 77.77.208.5 77.77.192.0 0.0.31.255 eq smtp

20 deny tcp host 77.77.208.5 any eq smtp