Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
803
Views
0
Helpful
4
Replies

ACL on switches

techinneed
Level 1
Level 1

‎01-20-2014 04:02 PM

Hello all,

I am learning how to write ACLs, and one of the exercises is that I have to write an ACL to restrict PING, HTTP, FTP, and allow POP3 and SMTP between a pc and server.  Below is my ACL.  The thing that does not work is the POP3\SMTP access.  It continues to fail.  I do not want to just add a "permit ip any any" to make it work.  Can someone help?  Thanks!

PC1:  192.168.6.65

PC2:  192.168.6.66

Svr1:  209.1.5.14

    10 deny icmp host 192.168.6.65 host 209.1.5.14 echo

    20 deny icmp host 192.168.6.65 host 209.1.5.14 echo-reply

    30 deny icmp host 192.168.6.66 host 209.1.5.14 echo

    40 deny icmp host 192.168.6.66 host 209.1.5.14 echo-reply

    50 deny tcp host 192.168.6.65 host 209.1.5.14 eq www

    60 deny tcp host 192.168.6.66 host 209.1.5.14 eq www

    70 deny tcp host 192.168.6.65 host 209.1.5.14 eq ftp

    80 deny tcp host 192.168.6.65 host 209.1.5.14 eq ftp-data

    90 deny tcp host 192.168.6.66 host 209.1.5.14 eq ftp

    100 deny tcp host 192.168.6.66 host 209.1.5.14 eq ftp-data

    190 permit tcp host 192.168.6.65 host 209.1.5.14 eq smtp

    200 permit tcp host 192.168.6.66 host 209.1.5.14 eq smtp

    210 permit tcp host 192.168.6.65 host 209.1.5.14 eq pop3

    220 permit tcp host 192.168.6.66 host 209.1.5.14 eq pop3

Labels:
0 Helpful
4 Replies 4

Daniele Giordano
Level 8
Level 8

‎01-21-2014 03:16 AM

Does POP3/SMTP access work if you remove ACL?

If you try an access to a domain name (e.g. POP.YOURDOMAIN.COM or SMTP.YOURDOMAIN.COM) you must permit DNS traffic in your ACL (port 53, UDP and TCP).

Regards.

0 Helpful

viningele
Level 3
Level 3
In response to Daniele Giordano

‎01-21-2014 03:46 AM

What port is the smtp server using?  25, 465 or 587?  I would think an in house server would use 25 but most internet server use other ports.  Does it work if you use permit any any?  First make it work and the add remove entries to see where it breaks.

0 Helpful

techinneed
Level 1
Level 1
In response to viningele

‎01-21-2014 10:50 AM

Thanks Viningele.

Yes the port is open for 25 and it is internal.  Yes it works if I put "permit ip any any".  I tried doing this line by line.  But yielded the same result.  If I have to do this again line by line, then what should the order be?  I tried the following:

1.  Just adding the "permit" lines, but no go.

2.  Just addind the "deny" lines, but no go.

3.  Just adding "permit" for one PC, but no go on the other PC, and vice versa.

0 Helpful

techinneed
Level 1
Level 1
In response to Daniele Giordano

‎01-21-2014 10:47 AM

Thank Daniele.

Yes it works without the ACL in place.

The connection is only going via port numbers 25 and 110.  No testing needed for port 53.

0 Helpful
Customers Also Viewed These Support Documents