Hi, I am trying to configure a SR-520 router with IOS 12.4T, to block port 25 traffic from all the internal IPs except three. I could do it using ACL, as follows: access-list 107 permit tcp host 192.168.10.91 any eq smtp access-list 107 permit tcp host 192.168.10.11 any eq smtp access-list 107 permit tcp host 192.168.10.191 any eq smtp access-list 107 deny tcp any any eq smtp log access-list 107 permit ip any any interface BVI75 ip access-group 107 in However, this router uses ZFW and I believe that it is possible to use it for this purpose, but I don't know how. I tried to enable Layer-4 inspection using: ip access-list extended SMTP-ACL permit tcp host 192.168.10.91 any permit tcp host 192.168.10.11 any permit tcp host 192.168.10.191 any deny tcp any any class-map type inspect match-all SMTP-traffic match protocol smtp match access-group name SMTP-ACL policy-map type inspect sdm-inspect class type inspect SMTP-traffic inspect Where: zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect interface BVI75 description $FW_INSIDE$ zone-member security in-zone interface FastEthernet4 description $FW_OUTSIDE$ zone-member security out-zone But, it doesn't work. All the internal NICs are allowed to send traffic on port 25. To test this, I use telnet on port 25 to an Internet host. Can anyone tell me what is wrong in my second configuration, and what is the correct way to block the smtp traffic using ZFW? Thank you very much.
... View more