Re: can't open port 25, is there anything obvious in this acl?


"steve9" <steve9@xxxxxxxxx> wrote in message news:1e067088-446c-48cf-8f99-d306147097fe@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
hi, trying to open up port 25 to a single IP. Am able to do this to
port 22, why 25 doesn't open up is a mystery. The port is listening
and can connect to it from internal. The data center does not block
smtp as a rule. I cannot get lines 358 and/or 359 to work. 357,
however does. This is the only access-list (101). How can I tell
which rule is blocking/denying me...when i attempt to telnet to port
25 it fails, but i don't see any hit counters for the listed rules.
the only deny statements are lines 10 and 20. Ping works to the
10.100.5.142 host.

thx:

10 deny ip any 10.200.0.0 0.0.255.255
20 deny ip 10.100.5.128 0.0.0.63 any
30 permit tcp any 10.100.5.128 0.0.0.63 established
40 permit tcp any host 10.100.5.137 eq 443
50 permit tcp any host 10.100.5.137 eq www
60 permit tcp any host 10.100.5.138 eq 443
70 permit tcp any host 10.100.5.138 eq www
80 permit tcp any host 10.100.5.139 eq 443
90 permit tcp any host 10.100.5.139 eq www
100 permit tcp any host 10.100.5.136 eq 443
110 permit tcp any host 10.100.5.136 eq www
120 permit tcp any host 10.100.5.135 eq 443
130 permit tcp any host 10.100.5.135 eq www
140 permit icmp any host 10.100.5.142 echo
150 permit icmp any host 10.100.5.142 echo-reply
160 permit tcp any host 10.100.5.142 eq domain
170 permit udp any host 10.100.5.142 eq domain
180 permit tcp any eq domain host 10.100.5.142 gt 1023
190 permit udp any eq domain host 10.100.5.142 gt 1023
200 permit tcp any host 10.100.5.151 eq domain
210 permit udp any host 10.100.5.151 eq domain
220 permit tcp any eq domain host 10.100.5.151 gt 1023
230 permit udp any eq domain host 10.100.5.151 gt 1023
240 permit ip 208.65.183.56 0.0.0.7 any
250 permit tcp host 208.65.183.52 any eq 22
260 permit tcp host 71.202.150.91 any eq 22
270 permit udp any any eq ntp
...
357 permit tcp host 75.36.191.183 any eq 22
358 permit tcp host 75.36.191.183 host 10.100.5.142 eq smtp
359 permit tcp host 75.36.191.183 host 10.100.5.151 eq smtp
...
420 permit ip 66.166.200.64 0.0.0.15 any
430 permit tcp any host 10.100.5.140 eq 443
440 permit tcp any host 10.100.5.140 eq www
450 permit ip host 64.147.167.152 host 10.100.5.133
460 permit tcp 64.147.161.0 0.0.0.255 host 10.100.5.133 eq 22
470 permit ip host 64.147.167.152 host 10.100.5.134
480 permit tcp 64.147.161.0 0.0.0.255 host 10.100.5.134 eq 22

Are there any denies in the ACL's you omited? I.E. lines 280-356. Did you build the applicable NAT statement as well?

.

Relevant Pages

  • Re: PIX VPN help.
    ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: PIX VPN help.
    ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: PIX VPN help.
    ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: PIX VPN help.
    ... have to use to connect to the remote host. ... static 192.168.100.0 192.168.10.0 netmask ... access-list 100 permit tcp any host a.a.a.102 eq ident ... access-group 100 in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: PIX VPN help.
    ... have to use to connect to the remote host. ... access-list 100 permit tcp any host a.a.a.102 eq ident ... static a.a.a.100 192.168.10.12 netmask ... access-group 100 in interface outside ...
    (comp.dcom.sys.cisco)