Hi all,
My client has asked me to configure an access list that allows the SMTP and POP3 traffic from a specific address of his network to a foreign address, deny any other traffic between these 2 addresses and allow all other traffic. This is the configuration:
access-list 109 remark ACL Customer OUT
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq smtp
access-list 109 permit tcp host xxx.xxx.x.xx host xx.xxx.xxx.x eq pop3
access-list 109 deny ip host xxx.xxx.x.ss any
access-list 109 permit ip any any
interface GigabitEthernet0/0
ip access-group 109 out
The show access-list 109 shows me that is not working well. Someone knows the reason?
Thanks a lot
Customer#sh access-lists 109
Extended IP access list 109
10 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq smtp
20 permit tcp host xxx.xxx.x.xx host xx.xxx.x.xx eq pop3
30 deny ip host xxx.xxx.x.xx any (2566 matches)
40 permit ip any any (4945535 matches)
{ 2 comments… read them below or add one }
There is a problem in the deny statement of the access list:
access-list 109 deny ip host xxx.xxx.x.ss any
Will deny traffic to any other hosts too. You need to replace this with:
access-list 109 deny ip host SRCIP host DSTIP
by behind Gi0 / 0 do you mean that g0/0 faces the foreign address?
by not working well what do you mean? what are the results of testing connectivity?
you should use some addresses for client host and foreign host so we can better understand.
You may also want to write an access list to go “in” on the same interface to filter traffic coming from the foreign host.
It’s difficult to say without understanding the topology but where is the source host in relation to gi0/0 ? Are you sure you have applied the acl to
1) the right interface
2) the right direction on the interface
You must log in to post a comment.