Solved: Re: Access-list

tonny_ecmyy · ‎11-14-2006

Hi,

Ok like this, i want to deny network 192.168.1.0/24 send an email using port 25 (smtp) and want to allow only 192.168.1.2 to send email. Below config not working, it deny all tcp 25,

access-list outbound deny tcp 192.168.1.0 255.255.255.0 any eq 25

access-list outbound permit tcp host 192.168.1.2 any eq 25

access-list outbound permit ip any any

access-group outbound in interface inside

any idea what's wrong with my config

thanks

Fernando_Meza · ‎11-14-2006

HI try this ..

access-list outbound permit tcp host 192.168.1.2 any eq 25

access-list outbound deny tcp 192.168.1.0 255.255.255.0 any eq 25

access-list outbound permit ip any any

access-group outbound in interface inside

I hope it heslp .. please rate it if it dose !!!!

View solution in original post

Fernando_Meza · ‎11-14-2006

yes

View solution in original post

Fernando_Meza · ‎11-14-2006

HI try this ..

access-list outbound permit tcp host 192.168.1.2 any eq 25

access-list outbound deny tcp 192.168.1.0 255.255.255.0 any eq 25

access-list outbound permit ip any any

access-group outbound in interface inside

I hope it heslp .. please rate it if it dose !!!!

tonny_ecmyy · ‎11-14-2006

Oppss, my access-list upside down? If i want to allow another host, 192.168.1.3 should i repeat the same procedure? starting from permit tcp 192.168.1.3 and then deny other tcp 25.

Fernando_Meza · ‎11-14-2006

yes

tonny_ecmyy · ‎11-14-2006

alright dude, it works, thanks

c.spescha · ‎11-15-2006

Hi Tonny

change the sequence like that.

keep in mind that once you have a "deny match" no further acl statements will be checked.

access-list outbound permit tcp host 192.168.1.2 any eq 25

access-list outbound deny tcp 192.168.1.0 255.255.255.0 any eq 25

access-list outbound permit ip any any

access-group outbound in interface inside

cheers

Claudio