Re: access-list not working

uzmausmani · ‎09-04-2008

I need to block all outgoing smtp traffic except for the mail server.. I implemented the following

access-list 102 permit tcp host 10.x.x.x any eq smtp

access-list 102 deny tcp any any eq smtp

access-list 102 permit ip any any

I applied it the interface all the hosts are connected to

ip access-group 102 in

But its still sending mail from another ip within the network to the outside world.. what am I doing wrong?

mohammedrafiq · ‎09-04-2008

Try to change list as

access-list 102 deny tcp any any eq smtp

access-list 102 permit tcp host 10.x.x.x any eq smtp

then run

"sh ip route list 102 "

to see what is matching with list 102.

Richard Burts · ‎09-04-2008

Mohammed

The processing of access lists is sequential and when any line of the access list is a match then there is no more processing of the access list. Since the first line in your suggestion will deny tcp any any eq smtp there would never be any match on the second line since host 10.x.x.x would be denied on the first line.

And I am puzzled what you would see in show ip route when you try to filter it by that access list since the IP routing table has no information in it about tcp 25 (smtp). Show access-list 102 would seem to be more logical.

HTH

Rick

HTH

Rick

mohammedrafiq · ‎09-04-2008

Sorry,

its my mistake!!

uzmausmani · ‎09-04-2008

I got it working. Thanks anyways guys...