Re: Need Access List Help

phampton · ‎11-04-2002

I am working on an access list for my router and am a real Nervous Nellie about it. I have a mail server with six virtual hosts and a webserver with mail and ftp as well as a hundred virtual domains, all with their own IP addresses within the same Class C.

If I apply:

access-group 102 out

access-list 102 permit tcp host 100.100.100.3 any established

access-list 102 permit icmp host 100.100.100.3 any echo-reply

access-list 102 permit tcp host 100.100.100.3 any eq ftp

access-list 102 permit udp host 100.100.100.3 any eq domain

access-list 102 permit tcp host 100.100.100.3 any eq domain

to the interface for that Class C, assuming the above address to be the primary address of my webserver, will this keep my mail server and the other domains in that Class C from working by implicitly denying denying these packets from their addresses? If so, is there any benefit to applying these rules to the entire Class C? Do I need to add anything for incoming and outgoing mail?

Thanks!

rsissons · ‎11-04-2002

If you use this access list with access-list OUT on the actual lan interface, it will effectivly block all traffic because of the implicit deny at the end.

Since the direction is with regard to the router, OUT applies to all traffic leaving the router and going onto the LAN so it can never have a source address of an address on the lan.

You would need to swap your source and destination parameters and us an acces-list IN on the lan interface or use the access list on the outgoing interface. You also need to permit SMTP for mail traffic.