Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL on switches

Hello all,

I am learning how to write ACLs, and one of the exercises is that I have to write an ACL to restrict PING, HTTP, FTP, and allow POP3 and SMTP between a pc and server.  Below is my ACL.  The thing that does not work is the POP3\SMTP access.  It continues to fail.  I do not want to just add a "permit ip any any" to make it work.  Can someone help?  Thanks!

PC1:  192.168.6.65

PC2:  192.168.6.66

Svr1:  209.1.5.14

    10 deny icmp host 192.168.6.65 host 209.1.5.14 echo

    20 deny icmp host 192.168.6.65 host 209.1.5.14 echo-reply

    30 deny icmp host 192.168.6.66 host 209.1.5.14 echo

    40 deny icmp host 192.168.6.66 host 209.1.5.14 echo-reply

    50 deny tcp host 192.168.6.65 host 209.1.5.14 eq www

    60 deny tcp host 192.168.6.66 host 209.1.5.14 eq www

    70 deny tcp host 192.168.6.65 host 209.1.5.14 eq ftp

    80 deny tcp host 192.168.6.65 host 209.1.5.14 eq ftp-data

    90 deny tcp host 192.168.6.66 host 209.1.5.14 eq ftp

    100 deny tcp host 192.168.6.66 host 209.1.5.14 eq ftp-data

    190 permit tcp host 192.168.6.65 host 209.1.5.14 eq smtp

    200 permit tcp host 192.168.6.66 host 209.1.5.14 eq smtp

    210 permit tcp host 192.168.6.65 host 209.1.5.14 eq pop3

    220 permit tcp host 192.168.6.66 host 209.1.5.14 eq pop3

4 REPLIES

ACL on switches

Does POP3/SMTP access work if you remove ACL?

If you try an access to a domain name (e.g. POP.YOURDOMAIN.COM or SMTP.YOURDOMAIN.COM) you must permit DNS traffic in your ACL (port 53, UDP and TCP).

Regards.

New Member

ACL on switches

What port is the smtp server using?  25, 465 or 587?  I would think an in house server would use 25 but most internet server use other ports.  Does it work if you use permit any any?  First make it work and the add remove entries to see where it breaks.

New Member

ACL on switches

Thanks Viningele.

Yes the port is open for 25 and it is internal.  Yes it works if I put "permit ip any any".  I tried doing this line by line.  But yielded the same result.  If I have to do this again line by line, then what should the order be?  I tried the following:

1.  Just adding the "permit" lines, but no go.

2.  Just addind the "deny" lines, but no go.

3.  Just adding "permit" for one PC, but no go on the other PC, and vice versa.

New Member

ACL on switches

Thank Daniele.

Yes it works without the ACL in place.

The connection is only going via port numbers 25 and 110.  No testing needed for port 53.

299
Views
0
Helpful
4
Replies