Edit Cisco ACL via Telnet?

By cypher.msix ·
Having never done this before, I'm at a bit of a loss. I can login via telnet to our Cisco router (1721), enable it.. and look around at the access lists, but I can't seem to figure out how to do what I need to do.

I need to basically block all traffic on port 25 (smtp) unless it comes from our exchange server (lets say it's I don't know any cisco commands really.. and sort of understand the different modes (sort of), but beyond that I don't know how to simply add in a few lines. What I have to do is this:

"First you need to create an access list describing the traffic (x.x.x.x is the ip address of the mail server)

access-list acl_out permit tcp host x.x.x.x any eq 25
access-list acl_out deny tcp any any eq 25
access-list acl_out permit ip any any

Then you need to apply that access-list to the inside interface(because it is being checked on the inside before it goes out)

access-group acl_out in interface inside"

How do I do that??

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by bhymen In reply to That seemed to do the tri ...

The trick to the application of access-lists is to view the traffic from the router's perspective. Traffic originating on your local network(LAN) and destined for another subnet(such as the internet) first has to enter the router on it's LAN interface(in your case FastEthernet0). In other words it has to come IN on FastEthernet0. Then it has to go OUT on a different interface(in your case Ethernet0).
When the remote computer answers your traffic it first has to come IN on Ethernet0 and then OUT of FastEthernet0 to reach the computer on the LAN that originated the conversation.

In between coming in one interface and out another, the packets are processed by the router based on it's configuration and that's where the order of operations I posted earlier come into play. When you had the access-list 102 applied to Ethernet0 outbound, the outbound packets had already come IN on FastEthernet0 and been processed. One of those processes was NAT which happened before the access-list was consulted. NAT translated the IP Address from to 64.00.00.XX. Next it got compared to access-list 102 from top to bottom. So:
(1)access-list 102 permit tcp host any eq smtp - no match because it's ip address has already been translated to 64.00.00.XX
(2)access-list 102 deny tcp any any eq smtp - matches since any includes 64.00.00.XX.
And it drops the packet.

Your interface Serial0 is configured for a T1, however I believe you said nothing was connected to that port. So my bet is that your T1 terminates at an IAD(integarted access device) such as an AdTran which then connects to your router via Ethernet on router interface FastEthernet0. Possibly you can trace the cable from your routers FastEthernet0 and find out where it goes.

I see some additional things you might want to do regarding the router config. If you want to communicate outside the forum, let me know and we will talk offline.


Edit: After I submitted this, I realized my co-worker (bhymen) was logged on and it submitted under his name. Sorry about that. Netman

Collapse -


by cypher.msix In reply to Explanation


Thanks for helping me understand how all of that works. After drawing out a visual diagram of your description I am finally able to understand the interfaces and how the router interpets where data is coming in and going out. Makes a whole lot more sense now! :-)

What sort of additional changes would you suggest making? I'm all for cleaning up and optimizing as much as possible. I'll send you a private message with my e-mail address.

*edit* It seems that I can't send you a private message, so maybe you can p.m. me and we can talk offline about the router. Thanks *edit*

Collapse -

Private Message

by NetMan1958 In reply to Realization

That's wierd, I just checked my profile and it's set to allow other members to contact me. I am also unable to PM you. Is your profile set to allow member contact? Maybe both have to be enabled. Check your profile and let me know.

Collapse -

Private Messages

by cypher.msix In reply to Private Message

Mine was set to disallow, but that has been changed. I still can't send a private message to you for some reason. If you still can't private message me, I can post a junk e-mail account that you can e-mail to, and we'll continue with our regular accounts from there.

Collapse -

RE: That seemed to do the trick

by NetMan1958 In reply to That seemed to do the tri ...

See reply above posted under bymen. I didn't realize he was logged on at my computer when I posted my reply. I'm sending him back to Huntsville!

Collapse -

Very Strange

by NetMan1958 In reply to Edit Cisco ACL via Telnet ...

That's very strange, I still can't send you a PM, you still can't send me a PM but I can send another member a PM. Don't know what's going on with that. Anyway, here's a email that I never use:
netman1958 at

send an email to that address with your real email address and I will contact you from my real email address and we will take it from there.


Related Discussions

Related Forums