10-26-2001 11:01 AM - edited 03-01-2019 07:04 PM
I would like some understanding on different access list commands as used on a 2621 router. The first line works, and the second line does not allow outgoing packets. All information I have shows that the second line should work. If anybody can explain the difference to me I would greatly appreciate it.
Line that worked
access-list 101 permit tcp any eq smtp host xxx.xxx.xxx.xxx gt 1023
Line that didn't work
access-list 101 permit tcp any host xxx.xxx.xxx.xxx eq smtp
Thanks for the help.
10-26-2001 11:36 AM
My first question would be, what is it are you trying to allow / block? Remember that all access-lists have a default "deny any" at the end of them.
The direction of traffic is also very important. You made a reference to "outgoing" so I am going to assume these lists were being applied in the outgoing direction on an interface.
Your first list would allow any packets coming FROM port 25 and going to the IP specified (xxx.xxx.xxx.xxx) on a port greater than 1023. This would typically be return traffic from a mail server. This would not be traffic from a mail client lets say, to the mail server, but rather the reply from the mail server itself. It is very odd to see something like this in an access list. If you had a mail server for example on 192.168.1.20, and you wanted to allow traffic to that mail server for mail only, you would do like:
access-list 101 permit tcp any gt 1023 host 192.168.1.20 eq 25
most would probably even leave off the "gt 1023" and just do:
access-list 101 permit tcp any host 192.168.1.20 eq 25
The second line you have permits any traffic from any host so long as its destined for the ip specified (xxx.xxx.xxx.xxx) on port 25.
When discussing these types of problems, it helps to know what interfaces are involved and where the server or clients in question are located. For example you could say "I have a mail server at 192.168.1.20 hanging off the f0/0 of my router, and I have clients that I am trying to permit/block hanging off f0/1 of that same router. I wish to apply an access list to the f0/0 interface with "ip access-group 101 out", but it is not working correctly".
Because access lists are tricky, and direction and location mean everything.
Brian
10-30-2001 01:32 PM
Sorry I omitted the interface details, here they are:
interface FastEthernet0/0
description external internet port
ip address xxx.xxx.xxx.xxx 255.255.248.0
ip access-group 101 in
ip access-group 110 out
no ip redirects
no ip proxy-arp
ip nat outside
interface Fastethernet0/1
description internal network port
ip address xxx.xxx.xxx.xxx 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
access-list 110 permit any any
access-list 110 udp any any
access-list 110 icmp any any
I am trying to allow mail to and from the internal server.
My understanding from the documentation on access-lists is that it is:
access list [name][permit/deny][protocol][source address][source port][destination address][destination port]
Thanks for the help
10-30-2001 02:11 PM
Following your acl configuration, if you only want to allow access to your internal server, you should have :
access-l 101 permit any host xxx.xxx.xxx.xxx eq 25 eq 110
Which means that any source can access to xxx.xxx.xxx.xxx at port 25 (smtp) and 110 (pop)
And what is the purpose of ACL 110 if you almost let everything out. Just don't put any ACL out and your internal mail server get access to the net.
The last thing but not the less is that you have to let traffic establish from internal to come back on your external interface. For this, you either have the choice to use "establish" keyword at the end of your inbound ACL or I suggest you to read documentation about "Reflexive Access-List".
Hope that don't confuse you too much... :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide