Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Access-List Critical Situation - Urgent Help is required

Dear All,

I have cisco router for internet 1841.

He has 2 interface as following :-

1. Fast Ethernet 0/0 :-

Description : connected to My ISP Router FOR INTERNET Connection. .

IP Address of this Interface : /

2. Fast Ethernet 0 /1 :-

Description : connected to My Cisco Switch For Connect devices

IP Address of this Interface : /

The Access List which implemented on it : ip access-group 103 out

The IP Schema for My Company which the ISP Has assign it to me was the following :-

< First Network > :-

Which is assign only to the Interface F0/0 :-

< ? UP TO >

< Second Network >

Which is assign only to the Interface F0/1 :-

< ? UP TO > .

The Route for My traffic is < IP Route > .

The Cable which is getting out from Interface F 0 / 1, is plugged in UNMANAGED Switch in Port 2 to connect other devices with Network 2 like My Firewall and MY CEO PC under real IP as well .

The FIREWALL Called Fortigate and its configuration as following:-

First Nic :-

IP :

SM :

GW :

Second Nic

IP Address :

SM :

All the Users in My LAN Configured to use the FW as NAT , and all of them are configured with it?s as GATEWAY.

Our E-mail Server is Hosted Out side, and we are using the POP3 & SMTP to access it. We do not have exchange server at all,

POP3 :


There is No any Restriction at all on the Firewall to disable any traffic or stop any thing at all, and every thing is Open in the Inbound & Outbound interfaces on the Firewall.

Now ,

1 PC is located not behind the firewall at all, but they are located behind the Interface F 0 / 1 .

The setting of this PC as following :-

< IP : ? SM : ? GW : ? DNS : > .

This User is reported to me that, he is unable to download his E-mails through POP3, but able to send using SMTP.

All the other users who using Firewall, able to send and receive using POP3 & SMTP without any Problem at all.

He is only the one who have this Problem.

Even if I change the IP and put any other IP from the Second Network, we found the same Problem.

The Access List as following :-

access-list 103 permit tcp any host eq smtp.

access-list 103 permit tcp any host eq pop3.

access-list 1 permit

access-list 1 permit

access-list 103 permit ip any any.

if you look to the first access list, it meaning like that :

The Router have an extended access list called 103, to permit the TCP Protocol, on Port 25 from any source to this Destination only, as if the POP3 Server & SMTP Server is while this is not the situation at all.

And the same but for POP3.

And I open every thing on Protocol IP From any where to any where .

1- Now, could be the Problem of this user who is using Real IP behind Interface F 0 /1 , the first access list ?

Because its only open smtp for this host only , which is MY FIREWALL ?

Could it be ?

But in the same time, I enable or I open every thing on this access list , so I am getting confused .

2- what will happen if I wrote a special Access-list to enable only this IP like that :-

Access-list 103 permit tcp host any eq SMTP

Access-list 103 Permit tcp host any eq POP3.

3- or should I wrote an access-list to open the POP3 Server which is to this user only like that :-

Access-list 103 Permit tcp host host eq POP3

Access-list 103 Permit tcp host host eq SMTP

should I put it on F0/0 Out?


Re: Access-List Critical Situation - Urgent Help is required


Your explanation is really hard to understand. Can you please post your router configuration or your exac ACL config and tell us which interface they are applied to.



Re: Access-List Critical Situation - Urgent Help is required

Simplify your configuration, remove all ACLs on the router for testin purpose and then try use POP from your CEO PC if it works than you know it is one of your ACLs. If not then you have to contact your ISP. This is the fastest approach for you....

Another thing try to use another PC instead of your CEO PC to eliminate the possibility of PC problem.

Please rate if I could help,


CreatePlease to create content