Re: Access lists

jboyer · ‎10-26-2001

I would like some understanding on different access list commands as used on a 2621 router. The first line works, and the second line does not allow outgoing packets. All information I have shows that the second line should work. If anybody can explain the difference to me I would greatly appreciate it.

Line that worked

access-list 101 permit tcp any eq smtp host xxx.xxx.xxx.xxx gt 1023

Line that didn't work

access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq smtp

Thanks for the help.

bfeeny · ‎10-26-2001

My first question would be, what is it are you trying to allow / block? Remember that all access-lists have a default "deny any" at the end of them.

The direction of traffic is also very important. You made a reference to "outgoing" so I am going to assume these lists were being applied in the outgoing direction on an interface.

Your first list would allow any packets coming FROM port 25 and going to the IP specified (xxx.xxx.xxx.xxx) on a port greater than 1023. This would typically be return traffic from a mail server. This would not be traffic from a mail client lets say, to the mail server, but rather the reply from the mail server itself. It is very odd to see something like this in an access list. If you had a mail server for example on 192.168.1.20, and you wanted to allow traffic to that mail server for mail only, you would do like:

access-list 101 permit tcp any gt 1023 host 192.168.1.20 eq 25

most would probably even leave off the "gt 1023" and just do:

access-list 101 permit tcp any host 192.168.1.20 eq 25

The second line you have permits any traffic from any host so long as its destined for the ip specified (xxx.xxx.xxx.xxx) on port 25.

When discussing these types of problems, it helps to know what interfaces are involved and where the server or clients in question are located. For example you could say "I have a mail server at 192.168.1.20 hanging off the f0/0 of my router, and I have clients that I am trying to permit/block hanging off f0/1 of that same router. I wish to apply an access list to the f0/0 interface with "ip access-group 101 out", but it is not working correctly".

Because access lists are tricky, and direction and location mean everything.

Brian

jboyer · ‎10-30-2001

Sorry I omitted the interface details, here they are:

interface FastEthernet0/0

description external internet port

ip address xxx.xxx.xxx.xxx 255.255.248.0

ip access-group 101 in

ip access-group 110 out

no ip redirects

no ip proxy-arp

ip nat outside

interface Fastethernet0/1

description internal network port

ip address xxx.xxx.xxx.xxx 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

access-list 110 permit any any

access-list 110 udp any any

access-list 110 icmp any any

I am trying to allow mail to and from the internal server.

My understanding from the documentation on access-lists is that it is:

access list [name][permit/deny][protocol][source address][source port][destination address][destination port]

Thanks for the help

kakit · ‎10-30-2001

Following your acl configuration, if you only want to allow access to your internal server, you should have :

access-l 101 permit any host xxx.xxx.xxx.xxx eq 25 eq 110

Which means that any source can access to xxx.xxx.xxx.xxx at port 25 (smtp) and 110 (pop)

And what is the purpose of ACL 110 if you almost let everything out. Just don't put any ACL out and your internal mail server get access to the net.

The last thing but not the less is that you have to let traffic establish from internal to come back on your external interface. For this, you either have the choice to use "establish" keyword at the end of your inbound ACL or I suggest you to read documentation about "Reflexive Access-List".

Hope that don't confuse you too much... :-)