You are connected to R1 via the console. An extended ACL named BLOCK_SMTP has been applied inbound on interface GigabitEthernet0/1, but users on the 192.168.10.0/24 network cannot send email to the SMTP server at 203.0.113.10. Additionally, the ACL is blocking all other traffic that should be permitted. Examine the running configuration and fix the ACL so that SMTP traffic (TCP port 25) from the 192.168.10.0/24 network to the SMTP server is permitted, and all other IP traffic is allowed.
Hints
- •The ACL is applied inbound on G0/1, so the source is the internal network.
- •The current ACL denies all SMTP traffic; you need to permit SMTP from the specific source network to the SMTP server before the deny.
- •Remember to remove the old ACL and create a new one with the correct order of entries.
! R1 configure terminal no ip access-list extended BLOCK_SMTP ip access-list extended BLOCK_SMTP permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.10 eq 25 deny tcp any any eq 25 permit ip any any end
Why this answer
The correct answer is A. It permits SMTP from 192.168.10.0/24 to the SMTP server, then denies all other SMTP traffic, and finally permits all other IP traffic. Option B is wrong because it places a general permit for any SMTP before the specific deny, meaning all SMTP is permitted regardless of source/destination.
Option C is wrong because it denies all SMTP first, so the subsequent specific permit for the user network is never reached. Option D is wrong because the order permits the specific SMTP, then permits all IP traffic (including other SMTP), then denies SMTP—the permit ip any any before the deny makes the deny unreachable for all traffic, allowing all SMTP.
Exam trap
Remember that ACLs are processed sequentially; the first match wins. A common mistake is to place a general permit or deny before a specific statement, causing the specific statement to never be evaluated. Always order ACL entries from most specific to most general.
Why the other options are wrong
The order of ACL entries is crucial; the first match is applied. Here, the permit any any matches all SMTP before the deny can block the specific traffic.
The deny any any matches all SMTP, so the subsequent permit for the specific source/destination is never reached.
The permit ip any any matches all traffic, so the subsequent deny for SMTP is never applied.