I would like some understanding on different access list commands as used on a 2621 router. The first line works, and the second line does not allow outgoing packets. All information I have shows that the second line should work. If anybody can explain the difference to me I would greatly appreciate it.
My first question would be, what is it are you trying to allow / block? Remember that all access-lists have a default "deny any" at the end of them.
The direction of traffic is also very important. You made a reference to "outgoing" so I am going to assume these lists were being applied in the outgoing direction on an interface.
Your first list would allow any packets coming FROM port 25 and going to the IP specified (xxx.xxx.xxx.xxx) on a port greater than 1023. This would typically be return traffic from a mail server. This would not be traffic from a mail client lets say, to the mail server, but rather the reply from the mail server itself. It is very odd to see something like this in an access list. If you had a mail server for example on 192.168.1.20, and you wanted to allow traffic to that mail server for mail only, you would do like:
most would probably even leave off the "gt 1023" and just do:
access-list 101 permit tcp any host 192.168.1.20 eq 25
The second line you have permits any traffic from any host so long as its destined for the ip specified (xxx.xxx.xxx.xxx) on port 25.
When discussing these types of problems, it helps to know what interfaces are involved and where the server or clients in question are located. For example you could say "I have a mail server at 192.168.1.20 hanging off the f0/0 of my router, and I have clients that I am trying to permit/block hanging off f0/1 of that same router. I wish to apply an access list to the f0/0 interface with "ip access-group 101 out", but it is not working correctly".
Because access lists are tricky, and direction and location mean everything.
Following your acl configuration, if you only want to allow access to your internal server, you should have :
access-l 101 permit any host xxx.xxx.xxx.xxx eq 25 eq 110
Which means that any source can access to xxx.xxx.xxx.xxx at port 25 (smtp) and 110 (pop)
And what is the purpose of ACL 110 if you almost let everything out. Just don't put any ACL out and your internal mail server get access to the net.
The last thing but not the less is that you have to let traffic establish from internal to come back on your external interface. For this, you either have the choice to use "establish" keyword at the end of your inbound ACL or I suggest you to read documentation about "Reflexive Access-List".
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...