Need help with access list 1

[TT2]

gang I'm hoping someone can help me here with this access-list its been extremely frustrating. I have 2 interfaces inside and out everything works great except I need the host of 192.168.1.10 to be able to send out mail. I thought by having a permit smtp would work but it doesnt. It can't find the mail server. Also as you can see I have a tunnel which I wouldn't think is an issue but im open to all suggestions. Could it be that I need to explicitly put the mail servers ip in the access list ? Thanks a million for all replies. I've attached some info for review.

crypto map vpn 10 ipsec-isakmp
set peer xxx.x.x.13
set transform-set auth3
match address 105
!

voice call carrier capacity active

!
mta receive maximum-recipients 0

!
interface Loopback0
description ****Inside Interface****
ip address 10.1.1.1 255.255.255.252
!
interface FastEthernet0/0
description ****Outside Interface****
ip address xx.xxx.xx.183 255.255.255.0
ip access-group 108 in
ip accounting output-packets
ip accounting access-violations
ip nat outside
no ip mroute-cache
duplex auto
speed 10
no cdp enable
crypto map xxxxxxxx

interface Ethernet1/0
ip address 192.168.1.1 255.255.255.0
ip access-group 106 in
ip accounting output-packets
ip accounting access-violations
ip nat inside
no ip mroute-cache
half-duplex
no cdp enable
!
ip nat inside source static tcp 192.168.1.10 80ee xx.xxx.xx.188 80ee extendable
ip nat inside source static tcp 192.168.1.10 100vv xx.xxx.xx.188 100vv extendabl
e
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xxx.xx.177
ip route xxx.xxx.z.z 255.255.0.0 xxx.x.x.13
ip route xxx.xxx.xxx.239 255.255.255.255 xxx.x.x.13
ip route xxx.17.0.0 255.255.0.0 xxx.x.x.13
ip route xxx.x.x.13 255.255.255.255 xx.xxx.xx.177
no ip http server
!
!
access-list 101 permit tcp any host xx.xxx.xx.183
access-list 106 permit udp host 192.168.1.10 any eq snmp
access-list 106 permit icmp host 192.168.1.10 any
access-list 106 permit tcp host 192.168.1.10 any eq www
access-list 106 permit tcp host 192.168.1.10 any eq 443
access-list 106 permit tcp host 192.168.1.10 any eq smtp
access-list 106 permit tcp host 192.168.1.10 any eq ftp
access-list 106 permit tcp host 192.168.1.10 eq 1010 host xx.xxx.xxx.93
access-list 106 permit tcp host 192.168.1.10 eq 10000 host xx.xxx.xxx.93
access-list 106 permit tcp host 192.168.1.10 eq 8080 xxx.xxx.z.z 0.0.255.255
access-list 106 permit tcp host 192.168.1.10 eq 10000 xxx.xxx.z.z 0.0.255.255
access-list 106 permit tcp host 192.168.1.10 eq 8080 host xx.xxx.xxx.93

access-list 108 permit tcp host 192.168.1.10 any eq smtp
access-list 108 permit esp host xxx.x.x.13 host xx.xxx.xx.183
access-list 108 permit udp host xxx.x.x.13 host xx.xxx.xx.183 eq isakmp
access-list 108 permit icmp host 192.168.1.1 host 192.168.1.10
access-list 108 permit icmp host xxx.xxx.xx.251 host 192.168.1.10
access-list 108 permit udp xxx.xxx.z.0 0.0.255.255 eq snmp host 192.168.1.10
access-list 108 permit icmp xxx.xxx.z.z 0.0.255.255 host 192.168.1.10
access-list 108 permit tcp host xx.xxx.xx.209 host xx.xxx.xx.183 eq telnet
access-list 108 permit tcp xxx.xxx.z.z 0.0.255.255 host 192.168.1.10 eq ee
access-list 108 permit tcp xxx.xxx.z.z 0.0.255.255 host 192.168.1.10 eq 100vv
access-list 108 permit tcp host xx.xxx.xxx.93 host xx.xxx.xx.183 eq telnet
access-list 108 permit tcp host xx.xxx.xxx.93 host 192.168.1.10 eq 80ee
access-list 108 permit tcp host xx.xxx.xxx.93 host xx.xxx.xx.188 eq 80ee
access-list 108 permit tcp host xx.xxx.xxx.93 host xx.xxx.xx.188 eq 100vv
access-list 108 permit tcp host xx.xxx.xxx.93 host xx.xxx.x.188 eq telnet
no cdp run

 

[chieftan999]

I see from your configuration that you have explicitly stated as follows:-

interface FastEthernet0/0
ip access-group 108 in

Interface FastEthernet1/0
ip access-group 106 in

Both of these access groups are stipulating inbound traffic, yet your question regards outbound traffic.....????


Reamin positive. The affect on those around you will amaze.

 

[ChrisAC]

Your user is allowed to pass SMTP traffic from the internal interface ..

access-list 106 permit tcp host 192.168.1.10 any eq smtp
!
interface Ethernet1/0
ip access-group 106 in

which is okay in itself. However, you also have an inbound access list on the external interface.

access-list 108 permit tcp host 192.168.1.10 any eq smtp

This isn't required because this access list will allow traffic from the internet INTO your router, and I'm pretty sure that there will be no traffic from 192.168.1.10 coming from the internet.

You have specifically allowed a number of ports into your network but you are not allowing return traffic from outbound connections. So, when your user connect to a remote SMTP server (which your acl's allow), the server can't talk back because access list 108 blocks the replies. On the tail end of any IOS based acl there is a default any any block rule.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[ChrisAC]

I should have added, the best approach for an inbound access list is to allow specific inbound connections to servers etc, then block any unwanted ports and then finish off with a 'permit ip any any' to let all return traffic in that has not been specifically denied.

Remember that a router is not like a stateful firewall that will keep a connection table and so will be able to open up connections for inbound reply traffic.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[TT2]

guys thanks for the replies and Chieftan99 your right I need to be able to connnect and send snmp traffic out to the net (to a mail server) do I need an additional statements and if you wouldnt mind sharing a few points I would appreciate it. Thanks everyone for replies

TT