Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access-List Critical Situation - Please reply

Dear All,

I have cisco router for internet 1841.

He has 2 interface as following :-

1. Fast Ethernet 0/0 :-

Description : connected to My ISP Router FOR INTERNET Connection. .

IP Address of this Interface : /

2. Fast Ethernet 0 /1 :-

Description : connected to My Cisco Switch For Connect devices

IP Address of this Interface : /

The Access List which implemented on it : ip access-group 103 out

The IP Schema for My Company which the ISP Has assign it to me was the following :-

< First Network > :-

Which is assign only to the Interface F0/0 :-

< ? UP TO >

< Second Network >

Which is assign only to the Interface F0/1 :-

< ? UP TO > .

The Route for My traffic is < IP Route > .

The Cable which is getting out from Interface F 0 / 1, is plugged in UNMANAGED Switch in Port 2 to connect other devices with Network 2 like My Firewall and MY CEO PC under real IP as well .

The FIREWALL Called Fortigate and its configuration as following:-

First Nic :-

IP :

SM :

GW :

Second Nic

IP Address :

SM :

All the Users in My LAN Configured to use the FW as NAT , and all of them are configured with it?s as GATEWAY.

Our E-mail Server is Hosted Out side, and we are using the POP3 & SMTP to access it. We do not have exchange server at all,

POP3 :


There is No any Restriction at all on the Firewall to disable any traffic or stop any thing at all, and every thing is Open in the Inbound & Outbound interfaces on the Firewall.

Now ,

1 PC is located not behind the firewall at all, but they are located behind the Interface F 0 / 1 .

The setting of this PC as following :-

< IP : ? SM : ? GW : ? DNS : > .

This User is reported to me that, he is unable to download his E-mails through POP3, but able to send using SMTP.

All the other users who using Firewall, able to send and receive using POP3 & SMTP without any Problem at all.

He is only the one who have this Problem.

Even if I change the IP and put any other IP from the Second Network, we found the same Problem.

The Access List as following :-

access-list 103 permit tcp any host eq smtp.

access-list 103 permit tcp any host eq pop3.

access-list 1 permit

access-list 1 permit

access-list 103 permit ip any any.

if you look to the first access list, it meaning like that :

The Router have an extended access list called 103, to permit the TCP Protocol, on Port 25 from any source to this Destination only, as if the POP3 Server & SMTP Server is while this is not the situation at all.

And the same but for POP3.

And I open every thing on Protocol IP From any where to any where .

1- Now, could be the Problem of this user who is using Real IP behind Interface F 0 /1 , the first access list ?

Because its only open smtp for this host only , which is MY FIREWALL ?

Could it be ?

But in the same time, I enable or I open every thing on this access list , so I am getting confused .

2- what will happen if I wrote a special Access-list to enable only this IP like that :-

Access-list 103 permit tcp host any eq SMTP

Access-list 103 Permit tcp host any eq POP3.

3- or should I wrote an access-list to open the POP3 Server which is to this user only like that :-

Access-list 103 Permit tcp host host eq POP3

Access-list 103 Permit tcp host host eq SMTP

4- could be the Problem on the Access-list it self direction ?

should I put it on F0/0 Out?


Re: Access-List Critical Situation - Please reply

If the access list 103 is as you post this access list does nothing. The permit ip any any at the end with no deny statements above it is the same as not putting in a access list.

I would remove access list 103 and see what happens. I suspect you will see no difference.

Since the firewall works and a pc on the same net does not I would look at the pc configuration.

Your 2 permit statements look backwards since you indicate that your pop and smtp server are external to you. The statements you have would mean that the firewall would appear as the smtp or pop server. Of course it could be natted to another inside server but you say it is outside.

access-list 103 permit tcp any eq smtp host

access-list 103 permit tcp any eq pop3 host

These statement would allow return traffic to client from a server on the outside. Since the address represents a client machine I assume these ports are generally random.

The above is not your issue since you have a permit ip any any after it but if plan on denying any traffic in the future you will need to revise your access list.

The sample you give in #3 is closer to correct but this would need to be applied inbound and not outbound on fa 0/1.

I really don't think your access list is your issue.

New Member

Re: Access-List Critical Situation - Please reply

SO, as i understood correctly,

there was no any Problem in your Access-list at all, untill this Moment .

so, could be the Problem of the ISP Him self.

do you think the ISP, he is putting or doing some access-list to stop it.

2- what do you think if the i remove the Access-list for TEMP use, and i could not find any thing , so may be the Problem from the ISP Him Self .

could be the Problem of the ISP ?

Please reply.

CreatePlease login to create content