Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Learner ACL question

Reply
Thread Tools

Learner ACL question

 
 
S W
Guest
Posts: n/a
 
      11-21-2006
Hi,

Will anyone help me with the syntax needed to prevent smtp traffic
leaving the lan unless its from one of the two email servers?

Is it
permit host (emailserver1 IP) host any eq 25
permit host (emailserver2 IP) host any eq 25
deny host any host any eq 25

or
permit host (emailserver1 IP) host any eq smtp
permit host (emailserver2 IP) host any eq smtp
permit host any host any eq smtp

and does it have to be an extended acl?
Its a Cisco 837 by the way, with default installation OS from about 3
years ago. I'm not using the email servers to receive email directly, so
I only want email to leave, I'm not using PAT to open it up to two way
traffic.

Thanks in advance for your help,
SW
 
Reply With Quote
 
 
 
 
Tom Lawrence
Guest
Posts: n/a
 
      11-21-2006
> Will anyone help me with the syntax needed to prevent smtp traffic leaving
> the lan unless its from one of the two email servers?


ip access-list extended blocksmtp
permit tcp host x.x.x.x any eq 25
permit tcp host y.y.y.y any eq 25
deny tcp any any eq 25
permit ip any any

You need the last 'permit', otherwise you'll block all other traffic
(implicit 'deny all' at the end of every ACL). You can apply it to the
ethernet as an inbound ACL:

interface FastEthernet0
ip access-group blocksmtp in

And yes, since you're looking to match a particular TCP port, it has to be
an extended ACL.


 
Reply With Quote
 
 
 
 
S W
Guest
Posts: n/a
 
      11-22-2006
Tom Lawrence wrote:
>>Will anyone help me with the syntax needed to prevent smtp traffic leaving
>>the lan unless its from one of the two email servers?

>
>
> ip access-list extended blocksmtp
> permit tcp host x.x.x.x any eq 25
> permit tcp host y.y.y.y any eq 25
> deny tcp any any eq 25
> permit ip any any
>
> You need the last 'permit', otherwise you'll block all other traffic
> (implicit 'deny all' at the end of every ACL). You can apply it to the
> ethernet as an inbound ACL:
>
> interface FastEthernet0
> ip access-group blocksmtp in
>
> And yes, since you're looking to match a particular TCP port, it has to be
> an extended ACL.
>
>


Tom,

Thanks a lot for your help.
That did the trick. I now have another question, but I'll start a new
thread.

Regards,
SW
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
learner's question on populating vector< pair<int, string>* > asmember subramanian100in@yahoo.com, India C++ 17 04-30-2008 05:31 AM
Learner question Alex Pavluck C Programming 4 12-05-2006 09:37 PM
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
Little question about what C can do (First steps learner) Silas Justiniano C Programming 9 12-27-2005 07:41 PM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM



Advertisments