Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL Rule Problem

I created a DMZ and put a mail server in there. Now for some reason no matter what I do cant get SMTP from the dmz. Even if I do a packet trace from the ASDM it says its blocked by the implicit deny at the nd of the DMZ incoming rule. I have a rule set to allow SMTP but its still denied. I even changed that to allow everything from any to any and it gets denied. I am at a loss. Below is my ACL. Anyone see anything wrong with it?

Thanks

access-list DMZ_access_in remark Allow imap from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq imap4

access-list DMZ_access_in remark Allow 6101 from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 6101

access-list DMZ_access_in remark Allow webaccess from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 1677

access-list DMZ_access_in remark Allow MTA access from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 7100

access-list DMZ_access_in remark Allow webaccess from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 7205

access-list DMZ_access_in remark Allow SLP request all from DMZ to Inside

access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 427

access-list DMZ_access_in remark Allow SLP request all from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 427

access-list DMZ_access_in remark Allow Time Synch request all from DMZ to Inside

access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 524

access-list DMZ_access_in remark Allow NCP request all from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 524

access-list DMZ_access_in remark Allow NTP time request all from DMZ to Inside

access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 any eq ntp

access-list DMZ_access_in remark Echo reply to all

access-list DMZ_access_in extended permit icmp 12.167.246.136 255.255.255.248 any echo-reply

access-list DMZ_access_in remark Allow upd DNS from the DMZ to anywhere

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq domain

access-list DMZ_access_in remark Allow upd DNS from the DMZ to anywhere

access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 any eq domain

access-list DMZ_access_in remark Allow mail2.lionel.com to send out smtp

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq smtp

access-list DMZ_access_in remark Deny all from DMZ to Inside network

access-list DMZ_access_in extended deny ip any 192.168.1.0 255.255.255.0

access-list DMZ_access_in remark Allow http out from the dmz

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq www

access-list DMZ_access_in remark Allow https out from the dmz

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq https

5 REPLIES
Gold

Re: ACL Rule Problem

please clarify your problem.

are you wanting to allow smtp from the internet to your mail server which is on the dmz?

are wanting to allow smtp from the LAN to your dmz?

are you wanting to allow smtp from your dmz to the lan?

are you wanting to allow smtp from your dmz to the internet?

New Member

Re: ACL Rule Problem

Srue,

Thanks for the reply. I am trying to send out SMTP to the internet but its getting blocked by the DMZ access in ACL. I dont need it to go to my internal lan just out from the DMZ to the internet.

Green

Re: ACL Rule Problem

Is your mail server ip 12.167.246.136?

Gold

Re: ACL Rule Problem

assuming the ACL you originally posted is the one applied to your dmz interface, is this where you believe you've allowed outbound smtp from the dmz to the internet:

...permit tcp 12.167.246.136 255.255.255.248 any eq smtp

your acl entry should read something like that...

does the actual IP address of your SMTP server fall in the range 12.167.246.136/29? not that NAT'ed address, the actual address.

New Member

Re: ACL Rule Problem

Yes its 12.167.246.140. I have changed the rule to any any and its still denied though.

136
Views
0
Helpful
5
Replies