CISCO router block port 25
Experience: I got my CCENT along while back and never used it since, now i need it I remember the basics but not the specifics
Problem: I have a Cisco Router (Version info/config below) I need to allow port 25 from the server and block from everywhere else, if possible log 25 to figure out who is sending out.
Can someone provide me command by command (I have telnet in with enable mode access)
INFO:
Server is 10.0.0.250 and 10.0.0.3
Network is 10.0.0.0/24
Computer connect to switch which connects to router via 1 port
===================
ROUTER#show version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T2,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 20-Oct-09 04:56 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
ROUTER uptime is 1 hour, 46 minutes
System returned to ROM by power-on
System image file is "flash:c870-advipservicesk
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memo
ry.
Processor board ID FCZ140692PZ
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
==========================
==========================
ROUTER#show run
Building configuration...
Current configuration : 2667 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65536
enable secret 5 $1$WA.x$b1kOqYkQZK7R2x6eth
!
no aaa new-model
clock timezone GMT 0
regexp optimize
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.30 192.168.0.254
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Dialer0
ip domain name **************************
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin password 7 ************************
!
!
!
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 65535
ip tcp queuemax 50
ip tcp path-mtu-discovery
ip tftp source-interface Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Dialer0
ip ssh version 2
!
buffers tune automatic
!
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description :x=LAN:
ip address 10.0.0.254 255.255.255.0
no ip proxy-arp
ip mtu 1426
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1386
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname **************************
ppp chap password 7 **************************
ppp ipcp dns request
ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT-POOL interface Dialer0 overload
ip nat inside source static tcp 10.0.0.3 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.3 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.3 25 interface Dialer0 25
ip nat inside source static tcp 10.0.0.3 491 interface Dialer0 491
!
ip access-list extended NAT-POOL
permit ip 10.0.0.0 0.0.0.255 any
!
no logging trap
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
exec-timeout 30 0
password 7 **************************
line vty 0 4
exec-timeout 0 0
no login
transport input telnet ssh
!
scheduler max-task-time 5000
sntp source-interface Dialer0
end
==========================
Additional Problem:
line vty 0 4
exec-timeout 0 0
no login - as far as a i remember i just have to change this to 'login' where do i set username and password?
Problem: I have a Cisco Router (Version info/config below) I need to allow port 25 from the server and block from everywhere else, if possible log 25 to figure out who is sending out.
Can someone provide me command by command (I have telnet in with enable mode access)
INFO:
Server is 10.0.0.250 and 10.0.0.3
Network is 10.0.0.0/24
Computer connect to switch which connects to router via 1 port
===================
ROUTER#show version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T2,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 20-Oct-09 04:56 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
ROUTER uptime is 1 hour, 46 minutes
System returned to ROM by power-on
System image file is "flash:c870-advipservicesk
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memo
ry.
Processor board ID FCZ140692PZ
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
==========================
==========================
ROUTER#show run
Building configuration...
Current configuration : 2667 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65536
enable secret 5 $1$WA.x$b1kOqYkQZK7R2x6eth
!
no aaa new-model
clock timezone GMT 0
regexp optimize
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.30 192.168.0.254
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Dialer0
ip domain name **************************
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin password 7 ************************
!
!
!
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 65535
ip tcp queuemax 50
ip tcp path-mtu-discovery
ip tftp source-interface Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Dialer0
ip ssh version 2
!
buffers tune automatic
!
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description :x=LAN:
ip address 10.0.0.254 255.255.255.0
no ip proxy-arp
ip mtu 1426
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1386
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname **************************
ppp chap password 7 **************************
ppp ipcp dns request
ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT-POOL interface Dialer0 overload
ip nat inside source static tcp 10.0.0.3 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.3 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.3 25 interface Dialer0 25
ip nat inside source static tcp 10.0.0.3 491 interface Dialer0 491
!
ip access-list extended NAT-POOL
permit ip 10.0.0.0 0.0.0.255 any
!
no logging trap
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
exec-timeout 30 0
password 7 **************************
line vty 0 4
exec-timeout 0 0
no login
transport input telnet ssh
!
scheduler max-task-time 5000
sntp source-interface Dialer0
end
==========================
Additional Problem:
line vty 0 4
exec-timeout 0 0
no login - as far as a i remember i just have to change this to 'login' where do i set username and password?
ASKER
Apologies I didn't explain myself, after port 25 I do want all other ports to function normally
This depends on whether you actually mean allowing port 25 FROM the server (server can send mail) or you actually mean TO the server (outside systems can connect to deliver mail).
If you mean the former:
ip access-list extended allow_smtp
permit tcp host 10.0.0.3 any eq 25
permit tcp host 10.0.0.250 any eq 25
deny tcp any any eq 25 log
permit ip any any <---- this is needed to prevent the implict deny any any from blocking all traffic
interface Vlan1
ip access-group allow_smtp in
if you mean the latter, you will not be able to allow access to both servers without an additional public IP address.
your static nat translation and the lack of an ACL should presently be allowing connections from the outside to reach the 10.0.0.3 server on port 25 via the interface IP address.
If you mean the former:
ip access-list extended allow_smtp
permit tcp host 10.0.0.3 any eq 25
permit tcp host 10.0.0.250 any eq 25
deny tcp any any eq 25 log
permit ip any any <---- this is needed to prevent the implict deny any any from blocking all traffic
interface Vlan1
ip access-group allow_smtp in
if you mean the latter, you will not be able to allow access to both servers without an additional public IP address.
your static nat translation and the lack of an ACL should presently be allowing connections from the outside to reach the 10.0.0.3 server on port 25 via the interface IP address.
you need to setup access list for only allowing port 25 from server and apply it to the dialer interface
login is enough but if you want password for enable mode then you need to configure under VTY 0 4
password ? (you will see all commands)
or without enable mode you already have username and paasword which you use in cosole,
username admin password 7 ************************
login is enough but if you want password for enable mode then you need to configure under VTY 0 4
password ? (you will see all commands)
or without enable mode you already have username and paasword which you use in cosole,
username admin password 7 ************************
ASKER
yes the server is exchange so must send and receive, (this is already setup, see running config) but nobody else on site should send or receive port 25
server and all computers need to send/receive all ports apart from 25
Then I need to figure out who is sending the spam to dis-infect the computer.
server and all computers need to send/receive all ports apart from 25
Then I need to figure out who is sending the spam to dis-infect the computer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you can use Exchange 2007 features for Anti-Spam tuning and monitoring as you will see lots of IP's on the router log hitting,
http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/thread/bca379ee-3c14-4c2f-a0a6-daba7b172899/
http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/thread/bca379ee-3c14-4c2f-a0a6-daba7b172899/
ASKER
config t
access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any
int vlan 1
ip access-group 101 in
end
Also, how do i veiw the logging for the blocks? and how do i manage it, set max space log files can use etc.....
bear in mind i only need to log and view logs very occationally..
access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any
int vlan 1
ip access-group 101 in
end
Also, how do i veiw the logging for the blocks? and how do i manage it, set max space log files can use etc.....
bear in mind i only need to log and view logs very occationally..
to view logs,
show log
to make changes to loggin buffer size user,
logging ?
logging buffered 16384
to know some basic,
http://networking.ringofsaturn.com/Cisco/ciscocommandguide.php
show log
to make changes to loggin buffer size user,
logging ?
logging buffered 16384
to know some basic,
http://networking.ringofsaturn.com/Cisco/ciscocommandguide.php
Get to know your logging options in the Cisco IOS
http://articles.techrepublic.com.com/5100-10878_11-6084442.html
The log messages will be displayed on the console (unless that's been disabled).
You can also view them with a "show log".
Since the reason for logging is to identify an offending machine, I don't think you need to worry about increasing the log size.
Here's Cisco's ACL logging paper.
http://www.cisco.com/web/about/security/intelligence/acl-logging.html
You can also view them with a "show log".
Since the reason for logging is to identify an offending machine, I don't think you need to worry about increasing the log size.
Here's Cisco's ACL logging paper.
http://www.cisco.com/web/about/security/intelligence/acl-logging.html
ASKER
Just looked at and got concerned over
int vlan 1
ip access-group 101 in
Is the direction of IN correct or should it be OUT.....
I want to stop my network sending out on port 25
Just double checking....
int vlan 1
ip access-group 101 in
Is the direction of IN correct or should it be OUT.....
I want to stop my network sending out on port 25
Just double checking....
it should be out if you want to block sending from your network..
"Then I need to figure out who is sending the spam to dis-infect the computer."
you want to figure out your own network computers sending out spam?
regards
"Then I need to figure out who is sending the spam to dis-infect the computer."
you want to figure out your own network computers sending out spam?
regards
Traffic coming from the 10.0.0.0/24 network will have to enter the VLAN 1 interface in order to go anywhere. So "in" would be checking that traffic.
Now if you wanted to check traffic going TO the 10.0.0.0/24 network, you could use "out" on the VLAN 1 interface.
Of course, you could check the traffic on the Dialer0 interface instead.
Now if you wanted to check traffic going TO the 10.0.0.0/24 network, you could use "out" on the VLAN 1 interface.
Of course, you could check the traffic on the Dialer0 interface instead.
>it should be out if you want to block sending from your network..
The direction of the ACL is dependent on the interface it's applied to.
It would be outbound if it was applied to the dialer0 interface.
The direction of the ACL is dependent on the interface it's applied to.
It would be outbound if it was applied to the dialer0 interface.
ASKER
DonJ, I would feel more confident working with the dialer interface, so just to check then It would be traffic heading out the dialer0 interface??????
Commands would be:
config t
access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any
int dialer0
ip access-group 101 out
end
Commands would be:
config t
access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any
int dialer0
ip access-group 101 out
end
Correct.
And actually, you can accomplish the same result with the following ACL:
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any
Please disregard the last post.
ASKER
all done, but i can still run
telnet smtp.btconnect.com 25
from a computer on 10.0.0.69
======================
ROUTER#show run
Building configuration...
Current configuration : 2896 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65536
enable secret 5 $1$WA.x$b1kOqYkQZK7R2x6eth
!
no aaa new-model
clock timezone GMT 0
regexp optimize
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.30 192.168.0.254
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Dialer0
ip domain name **************************
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin password 7 **************************
!
!
!
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 65535
ip tcp queuemax 50
ip tcp path-mtu-discovery
ip tftp source-interface Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Dialer0
ip ssh version 2
!
buffers tune automatic
!
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description :x=LAN:
ip address 10.0.0.254 255.255.255.0
no ip proxy-arp
ip mtu 1426
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1386
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *******************
ppp chap password 7 ********************
ppp ipcp dns request
ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT-POOL interface Dialer0 overload
ip nat inside source static tcp 10.0.0.3 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.3 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.3 25 interface Dialer0 25
ip nat inside source static tcp 10.0.0.3 491 interface Dialer0 491
!
ip access-list extended NAT-POOL
permit ip 10.0.0.0 0.0.0.255 any
!
no logging trap
access-list 101 permit tcp host 10.0.0.250 any eq smtp
access-list 101 permit tcp host 10.0.0.3 any eq smtp
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq smtp log
access-list 101 permit ip any any
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
exec-timeout 30 0
password 7 **************************
line vty 0 4
exec-timeout 0 0
no login
transport input telnet ssh
!
scheduler max-task-time 5000
sntp source-interface Dialer0
end
====================
telnet smtp.btconnect.com 25
from a computer on 10.0.0.69
======================
ROUTER#show run
Building configuration...
Current configuration : 2896 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65536
enable secret 5 $1$WA.x$b1kOqYkQZK7R2x6eth
!
no aaa new-model
clock timezone GMT 0
regexp optimize
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.30 192.168.0.254
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Dialer0
ip domain name **************************
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin password 7 **************************
!
!
!
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 65535
ip tcp queuemax 50
ip tcp path-mtu-discovery
ip tftp source-interface Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Dialer0
ip ssh version 2
!
buffers tune automatic
!
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description :x=LAN:
ip address 10.0.0.254 255.255.255.0
no ip proxy-arp
ip mtu 1426
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1386
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip access-group 101 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *******************
ppp chap password 7 ********************
ppp ipcp dns request
ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT-POOL interface Dialer0 overload
ip nat inside source static tcp 10.0.0.3 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.3 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.3 25 interface Dialer0 25
ip nat inside source static tcp 10.0.0.3 491 interface Dialer0 491
!
ip access-list extended NAT-POOL
permit ip 10.0.0.0 0.0.0.255 any
!
no logging trap
access-list 101 permit tcp host 10.0.0.250 any eq smtp
access-list 101 permit tcp host 10.0.0.3 any eq smtp
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq smtp log
access-list 101 permit ip any any
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
exec-timeout 30 0
password 7 **************************
line vty 0 4
exec-timeout 0 0
no login
transport input telnet ssh
!
scheduler max-task-time 5000
sntp source-interface Dialer0
end
====================
ASKER
Should
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq smtp log
be
access-list 101 deny tcp 10.0.0.0 255.0.0.0 any eq smtp log
????????????
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq smtp log
be
access-list 101 deny tcp 10.0.0.0 255.0.0.0 any eq smtp log
????????????
you applied that on external interface so the traffic will work internally unless you apply that on VLAN and wild cards are used in this way 10.0.0.0 0.0.0.255 not 10.0.0.0 255.0.0.0.
regards,
regards,
That's why you should apply it to the VLAN 1 interface. You're doing NAT. So the source address is being changed.
ASKER
Fantastic Help!!
Have a x-mas card and 500 well deserved expert points!!!
Have a x-mas card and 500 well deserved expert points!!!
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
WW ___ __ ____ ___ ___ _ _ WW
WW | V \ / _ ) / __| / __| | | | | WW
WW | /\ /\ | ( (/ /_ | / | / \ \_| | WW
WW |_||_||_| \_____| |_| |_| \__ | WW
WW | | WW
WW _.-"""-. _/ / WW
WW _/_______ `. |__/ WW
WW / _______ \ \ WW
WW \/,-. ,-.\/ \ WW
WW ()>= =<()`._ \_ WW
WW ,-(.--(_)--.)`-.`(_) WW
WW ,' /.-'\_/`-.\ `. WW
WW / / `-' \ \ WW
WW ,' \ / `. WW
WW / _ `. ,' _ \ WW
WW / _/ `-._.-' \_ \ WW
WW /_______| -|O |_______\ WW
WW {________}______|_______{________} WW
WW ,' _ \(_____[|_=]______) / _ `. WW
WW / / `'--------------------`' \ \ WW
WW `---' |_____________________| `---' WW
WW |_____|_____|_____| WW
WW |__|_____|_____|__| WW
WW _ |_____|_____|_____| hjw WW
WW | | _ WW
WW | | (_) _ WW
WW ___ | |__ ___ _ ___ | |_ ___ _ ____ ___ WW
WW / _| | _ \ / __|| | / __| | _|| V \ / _ | / __| WW
WW( (_ | | \ || / | | \__ \ | | | /\ /\ |( (_| | \__ \ WW
WW \___| |_| |_||_| |_| |___/ |_| |_||_||_| \____| |___/ WW
WW WW
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
ASKER
:-)
:-)
Don't sweat it. ACL's aren't covered in the CCENT cert. :-)
>Problem: I have a Cisco Router (Version info/config below) I need to allow port 25 from the server and block from everywhere else, if possible log 25 to figure out who is sending out.
I don't know if I follow you, but this should give you a start:
config t
access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25 log
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25 log
int vlan 1
ip access-group 101 in
end
With this ACL, the only traffic that will get off the 10.0.0.0/24 network is SMTP traffic from the two addresses. NOTHING else will be able to leave that network. This seems a little extreme to me, but that's what it sounds like you want.
> no login - as far as a i remember i just have to change this to 'login' where do i set username and password?
If you want to do a username/password pair, you would create them in global config:
username david password bacon
line vty 0 4
login local
Or you can simply put a password on the vty line
line vty 0 4
password automobile
login