Edit Cisco ACL via Telnet?

By cypher.msix ·
Having never done this before, I'm at a bit of a loss. I can login via telnet to our Cisco router (1721), enable it.. and look around at the access lists, but I can't seem to figure out how to do what I need to do.

I need to basically block all traffic on port 25 (smtp) unless it comes from our exchange server (lets say it's I don't know any cisco commands really.. and sort of understand the different modes (sort of), but beyond that I don't know how to simply add in a few lines. What I have to do is this:

"First you need to create an access list describing the traffic (x.x.x.x is the ip address of the mail server)

access-list acl_out permit tcp host x.x.x.x any eq 25
access-list acl_out deny tcp any any eq 25
access-list acl_out permit ip any any

Then you need to apply that access-list to the inside interface(because it is being checked on the inside before it goes out)

access-group acl_out in interface inside"

How do I do that??

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Interface configuration mode

by Nimmo In reply to Edit Cisco ACL via Telnet ...

To apply the access list to an interface you need to move into interface configuration mode for the specific interface you wish to apply the access list too.

Here is a good quick run down on ACL's**86a00800a5b9a.shtml

Collapse -

Which Interface for Outbound Traffic?

by cypher.msix In reply to Interface configuration m ...

Hey there. thanks for the reply. so I've created an access list # 102 and I'm not sure what interface to apply it to.

we have a single t1 that comes in and there's two ethernet ports hook up in the back of the router.

i did a 'show interface' or something like that and it lists an ethernet0 interface, fastethernet0 interface and a serial0 interface(which is down).

what im trying to do is block outgoing traffic on tcp port 25 unless it's from the mail server.. so what interface do i apply this to?

i was informed to use the command:

access-group 102 in interface inside

(but it doesn't work)because we want to stop the outbound traffic on the inside but i don't know how that translates to the router and it's interfaces. i've found i can do a:

config terminal
interface e0 (or f0, or s0)
ip access-group 102 out

and something happens, but how to i see the changes i've made? which interface do i apply this to?

i should clarify that the f0 interface has our internal ip address and the e0 interface has the external ip address...

Collapse -

Just to clarify

by Nimmo In reply to Which Interface for Outbo ...

So you have a T1 comming in on S0?, when you type show int s0 does it say "line down/line protocol down"? if so hop into interface configuration mode for s0 and type "no shut" to enable the interface.

A general rule about access lists is when you use a extended access list (100-199 or 2000 2699) you should place it as close to the Source as possible and when using a standard access list (1 - 99 or 1300 - 1999) place it as close to the destination as possible.

For example:

access-list 102 permit tcp host <mail server> any eq 25
access-list 102 deny tcp <network address> <wildcard> any eq 25
access-list 102 permit ip any any
(implicit deny statement)

The ip access-group 102 out statement will go on the interface closest to the source of the traffic.

Collapse -

Not sure

by cypher.msix In reply to Just to clarify

The T1 comes into either the ethernet0 or fastethernet0 .. direct or not i'm not sure .. but there are only two ethernet cables hooked up to the router.

when i do a 'show ip int' (where it lists the interfaces) it pops up with the ethernet0, fastethernet0, and serial0 interfaces. e0 and f0 are up, s0 is down, but i don't think we use the serial interface.

the access-list is just as you showed, and is created as extended access-list 102. just not sure where to bind it to as i don't quite understand how traffic flows from our network through the router as of yet.

what i do know is that e0 has an ip address of 64.x.x.x (which is the external ip assigned by the isp) and f0 has an internal ip address of 192.x.x.x (which is what we assigned). so knowing that, which is the "closest" to the inside?

do i want to bind group 102 to f0 out?

config t
int f0
ip access-group 102 out


another question.. this is the access-list that i have ready to go:

Extended IP access list 102
permit tcp host any eq smtp
deny tcp any any eq smtp
permit ip any any

this says to me:

1) allow tcp traffic from <mailserver> on port 25

2) deny all tcp traffic on port 25

3) allow any tcp traffic over any other port

is that accurate? so basically no other machine on the network will be able to pass any packets on port 25 going out to the internet, but will be able to receive data coming from the internet into the network on port 25?

thanks for the help so far. my first time dealing with routers in this much detail. :)

Collapse -


by Nimmo In reply to Not sure

What you want to do is to put the 102 access list on the outbound of e0 because that is your interface to the internet and you want to filter the traffic leaving your network heading to the internet.

yes access list 102 is saying.

1) Allow only your mail server to send smtp traffic out to the internet.
2) Deny any smtp traffic origionating from any other internal host to be sent out to the internet.
3) Allow all other traffic (ip traffic) to be sent to the internet.

Access lists flow top down so if you said deny tcp any any eq smtp no one will be able to send smtp traffic that is why you put the allow smtp for you mail server first.

As for internet traffic comming into the network, you dont have any access lists on the inbound of e0 so any traffic will be forwarded from the internet through the network.

Here is an article with should clarify ACL's better.**86a00800a5b9a.shtml

Take a look here aswell

Collapse -

no outbound e-mails can be sent

by cypher.msix In reply to ACL's

First, just wanted to say thanks for all your help Nimmo. Hoping you'll be able to shed some light on this for me.

I have access-list 102 setup as follows:

RouterSR>show access-lists 102
Extended IP access list 102
permit tcp host any eq smtp
deny tcp any any eq smtp (1059 matches)
permit ip any any (58988 matches)

I have that bound as follows:

RouterSR>show ip int e0
Ethernet0 is up, line protocol is up
Internet address is 64.xx.xx.xx/29
Broadcast address is
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 102
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is enabled
IP CEF switching is disabled
IP Flow switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, Flow
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled
BGP Policy Mapping is disabled

Having our router configured in this way does not allow us to send e-mail out to an external mail address.

I've even tried sending mail from the mailserver itself, and it's being blocked as well. Something isn't right here ... should that private ip address be the fqdm of the server? Should that matter? What am I missing?

Collapse -

Are you sure your mail serber is using port 25 for SMTP?

by Dumphrey In reply to no outbound e-mails can b ...

Because thats what you are blocking, not SMTP traffic, the SMTP is a "short cut" and a mnemonic.
permit tcp host any eq smtp
permit tcp host any eq 25
are identical. No idea why your mail server would not be on 25, but there it is...
Also, E0 is your wan interface? With your internet connection wired to it?

Collapse -

Order of Operations

by NetMan1958 In reply to no outbound e-mails can b ...

The order of operations for Cisco IOS is as follows:

(1)If IPSec then check input access list
(2)decryption - for CET (Cisco Encryption Technology) or IPSec
(3)check input access list
(4)check input rate limits
(5)input accounting
(6)policy routing
(8)redirect to web cache
(9)NAT inside to outside (local to global translation)
(10)crypto (check map and mark for encryption)
(11)check output access list
(12)inspect (Context-based Access Control (CBAC))
(13)TCP intercept

As you can see, NAT occurs before applying the outbound access-list. So by the time the traffic reaches the access-list, the IP address has been translated from to a public IP and does not match the access-list.

Normally, you would have any public servers "static NAT'ed" to one of the public IP's. I would need to see more of the configuration to determine if you have that set-up or not.

Collapse -

re: NetMan

by cypher.msix In reply to Edit Cisco ACL via Telnet ...

Interesting post, and I was curious if something like that was going on.

Our Exchange Server is private and as far as I know, doesn't have a static ip address from our ISP.. we just have the one reserved for our router. Since this is the case, how am I going to allow traffic from our mail server?

I could be wrong, as I'm picking up this job from someone who is already far and gone and trying to piece together this puzzle that is our network on my own. :)

Collapse -

A Question

by NetMan1958 In reply to re: NetMan

Do you just need to be able to send email from this server or will it need to receive email too.

Related Discussions

Related Forums