Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL - deny a host from inside to outside

Hello,

I want to allow a single host to send smtp traffic (port 25) only to a specific network range. SMTP traffic to the rest of the internet should be denied. The host comes from the inside of the network. I've created the following ACL for the outside interface of the cisco router:

ACL:

! only allow host 77.77.208.5 to send smtp traffic to the network 77.77.192.0/19

access-list 102 permit tcp host 77.77.208.5 eq smtp 77.77.192.0 0.0.31.255

! deny smtp traffic from host 77.77.208.5 to the whole internet

access-list 102 deny   tcp host 77.77.208.5 eq smtp any

! allow all other ip

access-list 102 permit ip any any

Config:

!

interface GigabitEthernet0/1.60

description External Interface to internet

encapsulation dot1Q 60

ip address 77.77.206.229 255.255.255.224

ip access-group 102 out

...

...

...

!

But it seems that the rules do not appear:

Extended IP access list 102

    10 permit tcp host 77.77.208.5 eq smtp 77.77.192.0 0.0.31.255

    20 deny tcp host 77.77.208.5 eq smtp any

    30 permit ip any any (144308583 matches)

Any hints?

Thanks,

Thomas

Everyone's tags (6)
1 REPLY
Cisco Employee

ACL - deny a host from inside to outside

"eq smtp" should be at the end of the access-list as follows:

10 permit tcp host 77.77.208.5 77.77.192.0 0.0.31.255 eq smtp

    20 deny tcp host 77.77.208.5 any eq smtp

1979
Views
0
Helpful
1
Replies
CreatePlease login to create content