Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Access-List Critical Situation-Please Help

Dear All,

I have cisco router for internet 1841.

He has 2 interface as following :-

1. Fast Ethernet 0/0 :-

Description : connected to My ISP Router FOR INTERNET Connection. .

IP Address of this Interface : 213.255.237.109 / 255.255.255.248

2. Fast Ethernet 0 /1 :-

Description : connected to My Cisco Switch For Connect devices

IP Address of this Interface : 213.255.237.113 / 255.255.255.248.

The Access List which implemented on it : ip access-group 103 out

The IP Schema for My Company which the ISP Has assign it to me was the following :-

< First Network > :-

Which is assign only to the Interface F0/0 :-

< 213.255.237.104 ? UP TO 213.255.237.111 >

< Second Network >

Which is assign only to the Interface F0/1 :-

< 213.255.237.112 ? UP TO 213.255.237.119 > .

The Route for My traffic is < IP Route 0.0.0.0 0.0.0.0 213.255.237.105 > .

The Cable which is getting out from Interface F 0 / 1, is plugged in UNMANAGED Switch in Port 2 to connect other devices with Network 2 like My Firewall and MY CEO PC under real IP as well .

The FIREWALL Called Fortigate and its configuration as following:-

First Nic :-

IP : 213.255.237.116

SM : 255.255.255.248

GW : 213.255.237.113.

Second Nic

IP Address : 192.168.1.00

SM : 255.255.255.0

All the Users in My LAN Configured to use the FW as NAT , and all of them are configured with it?s as GATEWAY.

Our E-mail Server is Hosted Out side, and we are using the POP3 & SMTP to access it. We do not have exchange server at all,

POP3 : 64.202.165.92

SMTP : 64.202.165.58

There is No any Restriction at all on the Firewall to disable any traffic or stop any thing at all, and every thing is Open in the Inbound & Outbound interfaces on the Firewall.

Now ,

1 PC is located not behind the firewall at all, but they are located behind the Interface F 0 / 1 .

The setting of this PC as following :-

< IP : 213.255.237.119 ? SM : 255.255.255.248 ? GW : 213.255.237.113 ? DNS : 213.255.237.8 > .

This User is reported to me that, he is unable to download his E-mails through POP3, but able to send using SMTP.

All the other users who using Firewall, able to send and receive using POP3 & SMTP without any Problem at all.

He is only the one who have this Problem.

Even if I change the IP and put any other IP from the Second Network, we found the same Problem.

The Access List as following :-

access-list 103 permit tcp any host 213.255.237.116 eq smtp.

access-list 103 permit tcp any host 213.255.237.116 eq pop3.

access-list 1 permit 213.255.237.104 0.0.0.7.

access-list 1 permit 213.255.237.112 0.0.0.7.

access-list 103 permit ip any any.

if you look to the first access list, it meaning like that :

The Router have an extended access list called 103, to permit the TCP Protocol, on Port 25 from any source to this Destination 213.255.237.116 only, as if the POP3 Server & SMTP Server is 213.255.237.116. while this is not the situation at all.

And the same but for POP3.

And I open every thing on Protocol IP From any where to any where .

1- Now, could be the Problem of this user who is using Real IP behind Interface F 0 /1 , the first access list ?

Because its only open smtp for this host only 213.255.237.116 , which is MY FIREWALL ?

Could it be ?

But in the same time, I enable or I open every thing on this access list , so I am getting confused .

2- what will happen if I wrote a special Access-list to enable only this IP like that :-

Access-list 103 permit tcp host 213.255.237.119 any eq SMTP

Access-list 103 Permit tcp host 213.255.237.119 any eq POP3.

3- or should I wrote an access-list to open the POP3 Server which is 64.202.165.92 to this user only like that :-

Access-list 103 Permit tcp host 213.255.237.119 host 64.202.165.92 eq POP3

Access-list 103 Permit tcp host 213.255.237.119 host 64.202.165.58 eq SMTP

4- could be the Problem on the Access-list it self direction ?

should I put it on F0/0 Out?

2 REPLIES
Silver

Re: Access-List Critical Situation-Please Help

The issue may be with the Access list configured in the router. The access -list should be configured in a correct directionohterwise packets will be dropped and this leads to loss of connection.

Community Member

Re: Access-List Critical Situation-Please Help

Hello,

please, try to be more clear about what you want...

In the end, what do you want _exactly_ ?

what do you want to allow incoming from internet to your lan2 + fw ?

what do you want to allow outgoing from lan2+fw to internet ?

keep it short and concise, the ~100 lines of your previous post are... a confusing melt :)

what about http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Enterprise%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddc46cd

? Is this related ? did you tried out the changes suggested ?

Cheers.

148
Views
0
Helpful
2
Replies
CreatePlease to create content