July 6, 2008 02:57pm pdt

1. lrmoore 195,038
2. JFrederi... 185,525
3. donjohnston 181,448
4. RobWill 107,391
5. batry_boy 100,786
6. that1guy15 82,375
7. donmanrobb 80,125
8. giltjr 61,860
9. from_exp 61,185
10. naughton 58,735
11. logic2 43,552
12. dpk_wal 43,202
13. bfason 40,955
14. rsivanandan 35,525
15. arnold 32,200

1. lrmoore 2,856,728
2. JFrederi... 1,145,836
3. donjohnston 1,047,869
4. mikebern... 613,688
5. rsivanandan 350,841
6. RobWill 322,680
7. Dr-IP 293,929
8. harbor235 253,441
9. kbbcnet 200,499
10. batry_boy 190,196
11. Scotty_c... 186,404
12. calvinetter 180,631
13. giltjr 175,441
14. pseudocyber 156,945
15. pjtemplin 152,803

02.22.2008 at 11:21AM PST, ID: 23185513

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.0

Need cisco Access List to block outbound port 25 except mail server

Zone: Network Routers

Tags: Cisco, Router, 2651, Outbound Port Blocking

Hello experts.

I have a fairly easy question although I have not been able to figure it out. Recently someone infiltrated our LAN and they were broadcasting out on SMTP port 25. Needlees to say we got blacklisted everywhere we do business. Anyway I was able to clean up the mess and white list ourselves again. So I need to close the network a bit more so this does not happen. I know I can close all outbound traffic on port 25 except the mail server. So here is a copy of my current ACL. We do VPN into the office and have one port open for RDC. The email server resides on IP 172.18.254.3. We do have split tunneling for the VPN access.

access-list 1 permit 172.18.254.0 0.0.0.255
access-list 100 permit ip 172.18.254.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 101 permit ip 172.18.254.0 0.0.0.255 host 192.168.199.235
access-list 101 permit ip 172.18.254.0 0.0.0.255 192.168.199.236 0.0.0.3
access-list 101 permit ip 172.18.254.0 0.0.0.255 192.168.199.240 0.0.0.3
access-list 101 permit ip 172.18.254.0 0.0.0.255 host 192.168.199.244
access-list 101 permit ip 172.18.254.0 0.0.0.255 host 192.168.199.245
access-list 110 deny ip 172.18.254.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 110 permit ip 172.18.254.0 0.0.0.255 any

Start your free trial to view this solution

Question Stats

Zone: Computer Hardware

Question Asked By: amanytx

Solution Provided By: batry_boy

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

02.22.2008 at 12:22PM PST, ID: 20961045

Rank: Guru

batry_boy:

Which numbered ACL above is doing the outbound filtering? You will need to look at your router interface configurations and look for for the "ip access-group" command on them. It would probably help if you just posted a sanitized copy of the interface information.

In a nutshell, here is how to block SMTP outbound except from your mail server:

access-list <ACL#> permit tcp 172.18.254.3 0.0.0.0 any eq smtp
access-list <ACL#> deny tcp any any eq smtp

Place those two commands in whatever ACL is applied inbound to your inside interface and you should be OK.

02.22.2008 at 01:24PM PST, ID: 20961573

amanytx:

We do not have any outbound acl's in place. Below is a complete config on the router

Current configuration : 3276 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
no logging console
enable password 7 0831185D1A0E550516
!
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip name-server xxxxx
ip name-server xxxxx
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
username xxxxxx
username xxxxxx
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group xxxx
key ftxxxxxx
dns 172.18.254.1
wins 172.18.254.1
domain xxxxxx.local
pool ippool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map cm-cryptomap local-address FastEthernet0/0
crypto map cm-cryptomap client authentication list userauthen
crypto map cm-cryptomap isakmp authorization list groupauthor
crypto map cm-cryptomap client configuration address respond
crypto map cm-cryptomap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
description To Canopy Radio xx.xx.xx.xx
ip address xx.xx.xx.xx 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map cm-cryptomap
!
interface FastEthernet0/1
description To
ip address 172.18.254.100 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Ethernet1/0
no ip address
shutdown
half-duplex
!
ip local pool ippool 192.168.199.235 192.168.199.245
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip nat inside source static tcp 172.18.254.199 8088 65.183.218.6 8088 extendable
ip nat inside source static tcp 172.18.254.3 25 65.183.218.6 25 extendable
ip nat inside source static tcp 172.18.254.3 443 65.183.218.6 443 extendable
ip nat inside source static tcp 172.18.254.3 8891 65.183.218.6 8891 extendable
ip nat inside source static tcp 172.18.254.3 993 65.183.218.6 993 extendable
ip nat inside source static tcp 172.18.254.3 2525 65.183.218.6 2525 extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
!
!
access-list 1 permit 172.18.254.0 0.0.0.255
access-list 100 permit ip 172.18.254.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 101 permit ip 172.18.254.0 0.0.0.255 host 192.168.199.235
access-list 101 permit ip 172.18.254.0 0.0.0.255 192.168.199.236 0.0.0.3
access-list 101 permit ip 172.18.254.0 0.0.0.255 192.168.199.240 0.0.0.3
access-list 101 permit ip 172.18.254.0 0.0.0.255 host 192.168.199.244
access-list 101 permit ip 172.18.254.0 0.0.0.255 host 192.168.199.245
access-list 110 deny ip 172.18.254.0 0.0.0.255 192.168.199.0 0.0.0.255
access-list 110 permit ip 172.18.254.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 110
!
!
snmp-server community
snmp-server community
snmp-server enable traps tty
!
!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
password 7 141A41131951
line aux 0
line vty 0 4
password 7 141A41131951
!
!
end

02.22.2008 at 01:36PM PST, ID: 20961677

Rank: Guru

batry_boy:

You can configure an ACL on FastEthernet0/1 that will allow just SMTP from your mail server, block it from anywhere else on your internal network, and then allow all other IP (which is what you're doing now). Put in these commands:

access-list 102 permit tcp 172.18.254.3 0.0.0.0 any eq smtp
access-list 102 deny tcp any any eq smtp
access-list 102 permit ip any any
interface FastEthernet0/1
ip access-group 102 in
end

Once you've tested functionality, don't forget the "write memory" to save the configuration.

Accepted Solution

02.22.2008 at 01:47PM PST, ID: 20961768

amanytx:

Thank you sir, worked like a charm. So simple. One last question your statement "ip access-group 102 in" why is the wording in instead of out? Just curious about the logic behind that!

batry_boy

02.22.2008 at 01:58PM PST, ID: 20961859

When you consider applying an ACL to an interface, you always look at the traffic with respect to the router. So, in other words, if you were standing in the middle of the router, you would see the traffic that is going outbound to the Internet as coming inbound to the interface that is attached to your inside LAN. Every packet that comes inbound to the interface is checked against every statement in the ACL applied to that interface to see what the router should do with that packet...either forward it or drop it. Does that make sense?

amanytx

02.22.2008 at 02:01PM PST, ID: 20961888

OK thanks it makes sense know. So in other words The request for outbound smtp traffic on port 25 is still happening but whe the reply is received and inspected by the acl it denies it unless the original request was done by my mail server. Am I correct?

batry_boy

02.22.2008 at 02:02PM PST, ID: 20961900

Yes, that is correct.

amanytx

02.22.2008 at 02:05PM PST, ID: 20961922

Thank You very much. Awsome way of explaining things1

batry_boy

02.22.2008 at 02:21PM PST, ID: 20962060

Glad to assist!

condorcape

05.09.2008 at 01:06AM PDT, ID: 21531032

This was a great reply. I've just had a spammer in my internal network and this helped me to solve it :)

yay!

20080236-EE-VQP-29 / EE_QW_2_20070628