Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need Access List Help

I am working on an access list for my router and am a real Nervous Nellie about it. I have a mail server with six virtual hosts and a webserver with mail and ftp as well as a hundred virtual domains, all with their own IP addresses within the same Class C.

If I apply:

access-group 102 out

access-list 102 permit tcp host 100.100.100.3 any established

access-list 102 permit icmp host 100.100.100.3 any echo-reply

access-list 102 permit tcp host 100.100.100.3 any eq ftp

access-list 102 permit udp host 100.100.100.3 any eq domain

access-list 102 permit tcp host 100.100.100.3 any eq domain

to the interface for that Class C, assuming the above address to be the primary address of my webserver, will this keep my mail server and the other domains in that Class C from working by implicitly denying denying these packets from their addresses? If so, is there any benefit to applying these rules to the entire Class C? Do I need to add anything for incoming and outgoing mail?

Thanks!

1 REPLY
Bronze

Re: Need Access List Help

If you use this access list with access-list OUT on the actual lan interface, it will effectivly block all traffic because of the implicit deny at the end.

Since the direction is with regard to the router, OUT applies to all traffic leaving the router and going onto the LAN so it can never have a source address of an address on the lan.

You would need to swap your source and destination parameters and us an acces-list IN on the lan interface or use the access list on the outgoing interface. You also need to permit SMTP for mail traffic.

78
Views
0
Helpful
1
Replies