outbound access-list help

[tamray]

I have a remote school with a big spam type virus problem going, and they do not have anyone on-site that can deal with the issue. I have access to their router, and need to provide a temporary fix by adding an outbound access-list that only allows outbound smtp (only to their off-site mail server), www, ftp, and 3389 .

Info:
Their mail server is off-site
The router is a 3640
Outside interface is F0/1
Need to be sure the acl does not accidentally block my telnet sessions to F0/0

 

[vedatshabani]

In the access-group of F0/1 like:
ip access-group F0/1-IN in
you should add these lines:

permit tcp any host (outside ip address) eq smtp
permit tcp any host (outside ip address) eq www
permit tcp any host (outside ip address) eq ftp
permit tcp any host (outside ip address) eq 3389
deny ip any any log

 

[burtsbees]

I think tamray wants outbound to fit these acl's, not inbound...what is the inbound interface facing the inside network? This is the interface to which you apply the acl's in the outbound direction.

Burt

 

[tamray]

F0/0 has a public IP and faces their LAN. F0/1 faces our WAN.

 

[burtsbees]

Then put the acl's outbound on fa0/0.

Burt