08-16-2002 08:45 AM - edited 03-08-2019 11:58 PM
Hi there, I am trying to add more statements like
Actually I am trying to filter outside network to access our SMTP server
access-list inbound permit icmp any any
* access-list inbound permit host 209.31.227.0 host 202.172.47.6 eq smtp
access-list inbound permit tcp any host 202.172.47.6 eq pop3
access-list inbound permit tcp any host 10.0.12.12 eq smtp
access-list inbound permit tcp any host 10.0.12.12 eq pop3
access-list inbound permit tcp any host 202.172.47.6 eq smtp
access-list inbound permit tcp any host 203.172.13.68 eq smtp
* new statements
but after adding the statements, my PIX went down , it means it coulnd't receive any emails any more , and I checked using sh access-list , the new statements (*) that I added , did not work , no counter
Any idea , what happens ?
Thanks in advance
08-16-2002 12:24 PM
access-list inbound permit host 209.31.227.0 host 202.172.47.6 eq smtp
in this statement is missing the protocol
access-list inbound permit tcp host 209.31.227.0 host 202.172.47.6 eq smtp
08-16-2002 03:37 PM
I am sorry , I think I put it wrongly ,
this is my PIX access-list;
access-list inbound permit icmp any any
access-list inbound permit tcp any host 202.156.59.3 eq pop3
access-list inbound permit tcp any host 202.156.59.3 eq smtp
access-list inbound deny tcp host 216.0.0.0 host 202.156.59.3 eq smtp
access-list inbound deny tcp host 217.0.0.0 host 202.156.59.3 eq smtp
after sh access-list , the deny statements were not executed,
I have tried this but still the same,
access-list inbound permit icmp any any
access-list inbound deny tcp host 216.0.0.0 host 202.156.59.3 eq smtp
access-list inbound deny tcp host 217.0.0.0 host 202.156.59.3 eq smtp
access-list inbound permit tcp any host 202.156.59.3 eq pop3
access-list inbound permit tcp any host 202.156.59.3 eq smtp
I am still new in PIX , hope somebody can help me , thanks for Alexis
08-21-2002 01:09 AM
The last line of an access-list is always "deny all", i.e "access-list inbound deny ip all all"
If you like to specify some networks that cannot reach your SMTP-server you have to put those statements before your permit line, which permits everyone.
If you like to deny SMTP-traffic from 216.0.0.0 and 217.0.0.0 networks the access-lists should be as follows:
access-list inbound deny tcp 216.0.0.0 255.0.0.0 host 202.156.59.3 eq smtp
access-list inbound deny tcp 217.0.0.0 255.0.0.0 host 202.156.59.3 eq smtp
This, since those addresses are not host-addresses.
Regards
//Tomas
08-21-2002 03:53 PM
Thanks Tomas,
I believe it should be like below,
access-list inbound permit icmp any any
access-list inbound deny tcp 216.0.0.0 255.0.0.0 host 202.156.59.3 eq smtp
access-list inbound deny tcp 217.0.0.0 255.0.0.0 host 202.156.59.3 eq smtp
access-list inbound permit tcp any host 202.156.59.3 eq pop3
access-list inbound permit tcp any host 202.156.59.3 eq smtp
After putting in this statements , do I need to issue any other commands ;
like clear xlate.Because when delete the access-list inbound and
I have put the the new statements , and there's no SMTP traffic.
am i missing and steps?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide