Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
3
Replies

Mail Server, Web Server blocked by Access-list???

rshullaw
Level 1
Level 1

‎01-24-2003 09:47 AM - edited ‎02-20-2020 09:20 PM

I've been trying to apply the 105 access-list to the serial interface inbound to protect these internal networks from the big, bad Internet but I need to allow for a web server and an email server at the static nat address that's been specified. When I apply the access-list, however, I am unable to browse to the web server from the outside, and mail doesn't go through. Internet traffic (browsing) from inside the network seems fine, however.

Any thoughts or advice would be greatly appreciated.

access-list 105 deny ip host 0.0.0.0 any log

access-list 105 deny ip any 255.255.255.128 0.0.0.127 log

access-list 105 deny ip 0.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 log

access-list 105 deny ip 10.0.0.0 0.255.255.255 any log

access-list 105 deny ip 127.0.0.0 0.255.255.255 any log

access-list 105 deny ip 172.16.0.0 0.15.255.255 any log

access-list 105 deny ip 192.168.0.0 0.0.255.255 any log

access-list 105 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 log

access-list 105 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log

access-list 105 deny ip 10.1.0.0 0.0.255.255 any log

access-list 105 permit udp host xxx.xxx.xxx.xxx eq domain xxx.xxx.xxx.xxx 0.0.0.255

access-list 105 permit udp host xxx.xxx.xxx.xxx eq domain xxx.xxx.xxx.xxx 0.0.0.255

access-list 105 permit tcp any eq www xxx.xxx.xxx.xxx 0.0.0.255

access-list 105 permit tcp any eq 8443 xxx.xxx.xxx.xxx 0.0.0.255

access-list 105 permit tcp any eq 443 xxx.xxx.xxx.xxx 0.0.0.255

access-list 105 permit tcp any eq smtp host xxx.xxx.xxx.xxx(static inside global, public)

access-list 105 permit tcp any eq telnet xxx.xxx.xxx.xxx 0.0.0.255

access-list 105 deny ip any any log

Thanks!

Labels:
0 Helpful
3 Replies 3

wolfrikk
Level 3
Level 3

‎01-24-2003 10:29 AM

Move the eq statement to the end of the line.

access-list 105 permit tcp any host xxx.xxx.xxx.xxx(static inside global, public) eq smtp

The format is access-list XXX permit tcp Soucrce IP Source Port Destination IP Destination port.

You are allowing incoming traffic from the ports with your configuration, not allowing it to the port.

0 Helpful

rshullaw
Level 1
Level 1
In response to wolfrikk

‎01-24-2003 12:27 PM

Of course...

Excellent...thanks for your help!

0 Helpful

diegom
Level 1
Level 1

‎02-03-2003 12:35 PM

try this:

access-list 105 permit tcp host xxx.xxx.xxx.xxx 0.0.0.255 eq www any

0 Helpful
Customers Also Viewed These Support Documents