Learner ACL question

Discussion in 'Cisco' started by S W, Nov 21, 2006.

  1. S W

    S W Guest

    Hi,

    Will anyone help me with the syntax needed to prevent smtp traffic
    leaving the lan unless its from one of the two email servers?

    Is it
    permit host (emailserver1 IP) host any eq 25
    permit host (emailserver2 IP) host any eq 25
    deny host any host any eq 25

    or
    permit host (emailserver1 IP) host any eq smtp
    permit host (emailserver2 IP) host any eq smtp
    permit host any host any eq smtp

    and does it have to be an extended acl?
    Its a Cisco 837 by the way, with default installation OS from about 3
    years ago. I'm not using the email servers to receive email directly, so
    I only want email to leave, I'm not using PAT to open it up to two way
    traffic.

    Thanks in advance for your help,
    SW
     
    S W, Nov 21, 2006
    #1
    1. Advertising

  2. S W

    Tom Lawrence Guest

    > Will anyone help me with the syntax needed to prevent smtp traffic leaving
    > the lan unless its from one of the two email servers?


    ip access-list extended blocksmtp
    permit tcp host x.x.x.x any eq 25
    permit tcp host y.y.y.y any eq 25
    deny tcp any any eq 25
    permit ip any any

    You need the last 'permit', otherwise you'll block all other traffic
    (implicit 'deny all' at the end of every ACL). You can apply it to the
    ethernet as an inbound ACL:

    interface FastEthernet0
    ip access-group blocksmtp in

    And yes, since you're looking to match a particular TCP port, it has to be
    an extended ACL.
     
    Tom Lawrence, Nov 21, 2006
    #2
    1. Advertising

  3. S W

    S W Guest

    Tom Lawrence wrote:
    >>Will anyone help me with the syntax needed to prevent smtp traffic leaving
    >>the lan unless its from one of the two email servers?

    >
    >
    > ip access-list extended blocksmtp
    > permit tcp host x.x.x.x any eq 25
    > permit tcp host y.y.y.y any eq 25
    > deny tcp any any eq 25
    > permit ip any any
    >
    > You need the last 'permit', otherwise you'll block all other traffic
    > (implicit 'deny all' at the end of every ACL). You can apply it to the
    > ethernet as an inbound ACL:
    >
    > interface FastEthernet0
    > ip access-group blocksmtp in
    >
    > And yes, since you're looking to match a particular TCP port, it has to be
    > an extended ACL.
    >
    >


    Tom,

    Thanks a lot for your help.
    That did the trick. I now have another question, but I'll start a new
    thread.

    Regards,
    SW
     
    S W, Nov 22, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BCW
    Replies:
    1
    Views:
    625
  2. =?Utf-8?B?S2FubmFuIE1haGFsaW5nYW0=?=

    New Learner

    =?Utf-8?B?S2FubmFuIE1haGFsaW5nYW0=?=, Nov 5, 2005, in forum: MCSE
    Replies:
    1
    Views:
    520
  3. Replies:
    3
    Views:
    511
    NETADMIN
    Feb 13, 2006
  4. SJ

    Website learner

    SJ, Feb 11, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    466
  5. Peter

    Learner

    Peter, May 7, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    516
    trout
    May 7, 2005
Loading...

Share This Page