1. Home
  2. Cisco Systems
  3. Learner ACL question

Learner ACL question

Hi,

Will anyone help me with the syntax needed to prevent smtp traffic leaving the lan unless its from one of the two email servers?

Is it permit host (emailserver1 IP) host any eq 25 permit host (emailserver2 IP) host any eq 25 deny host any host any eq 25

or permit host (emailserver1 IP) host any eq smtp permit host (emailserver2 IP) host any eq smtp permit host any host any eq smtp

and does it have to be an extended acl? Its a Cisco 837 by the way, with default installation OS from about 3 years ago. I'm not using the email servers to receive email directly, so I only want email to leave, I'm not using PAT to open it up to two way traffic.

Thanks in advance for your help, SW

Reply to
S W
Loading thread data ...

ip access-list extended blocksmtp permit tcp host x.x.x.x any eq 25 permit tcp host y.y.y.y any eq 25 deny tcp any any eq 25 permit ip any any

You need the last 'permit', otherwise you'll block all other traffic (implicit 'deny all' at the end of every ACL). You can apply it to the ethernet as an inbound ACL:

interface FastEthernet0 ip access-group blocksmtp in

And yes, since you're looking to match a particular TCP port, it has to be an extended ACL.

Reply to
Tom Lawrence

Tom,

Thanks a lot for your help. That did the trick. I now have another question, but I'll start a new thread.

Regards, SW

Reply to
S W

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.