jimcmu
asked on
Cisco Extended Access-List and logging question
I have a question regarding applying an extended access list on a Cisco 1721. There's a possiblity that a PC in my network is spamming. However, I don't think it's the mail server (Windows 2003 SP1 with Exchange 2003 SP2) because the queues are clean and my server is not open for SMTP relay. Therefore, I believe a PC on the network might have caught a virus and is spamming without going through Exchange. Although antivirus is installed on all PCs, something might have come through.
I'm trying to isolate the issue by disabling SMTP access through the Cisco for all PCs on the network except for the Exchange server. I know I have to use extended access-list for specific ports, but I'm not sure how to configure it. Any insight would be greatly appreciated.
Also, once SMTP is disabled for all computers on the network (except for Exchange), how I can set up logging on the Cisco to monitor SMTP access? If I can log which PCs are trying to access SMTP through the router, it will help to isolate the PC in quesiton.
Thanks in advance, here are my router configs:
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable password *******
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Serial0
ip address x.x.18.242 255.255.255.252
no ip directed-broadcast
ip nat outside
!
interface FastEthernet0
ip address y.y.7.254 255.255.255.0
no ip directed-broadcast
ip nat inside
full-duplex
!
ip nat pool NATPOOL z.z.29.139 z.z.29.139 netmask 255.255.255.248
ip nat inside source list 1 pool NATPOOL overload
ip nat inside source static tcp y.y.7.40 3389 z.z.29.139 3389 extendable
ip nat inside source static tcp y.y.7.10 9201 z.z.29.139 9201 extendable
ip nat inside source static tcp y.y.7.5 25 z.z.29.139 25 extendable
ip nat inside source static tcp y.y.7.5 443 z.z.29.139 443 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.18.241
no ip http server
!
access-list 1 permit y.y.7.0 0.0.0.255
!
line con 0
transport input none
line aux 0
line vty 0 4
password *******
login
!
end
Router#
I'm trying to isolate the issue by disabling SMTP access through the Cisco for all PCs on the network except for the Exchange server. I know I have to use extended access-list for specific ports, but I'm not sure how to configure it. Any insight would be greatly appreciated.
Also, once SMTP is disabled for all computers on the network (except for Exchange), how I can set up logging on the Cisco to monitor SMTP access? If I can log which PCs are trying to access SMTP through the router, it will help to isolate the PC in quesiton.
Thanks in advance, here are my router configs:
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable password *******
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Serial0
ip address x.x.18.242 255.255.255.252
no ip directed-broadcast
ip nat outside
!
interface FastEthernet0
ip address y.y.7.254 255.255.255.0
no ip directed-broadcast
ip nat inside
full-duplex
!
ip nat pool NATPOOL z.z.29.139 z.z.29.139 netmask 255.255.255.248
ip nat inside source list 1 pool NATPOOL overload
ip nat inside source static tcp y.y.7.40 3389 z.z.29.139 3389 extendable
ip nat inside source static tcp y.y.7.10 9201 z.z.29.139 9201 extendable
ip nat inside source static tcp y.y.7.5 25 z.z.29.139 25 extendable
ip nat inside source static tcp y.y.7.5 443 z.z.29.139 443 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.18.241
no ip http server
!
access-list 1 permit y.y.7.0 0.0.0.255
!
line con 0
transport input none
line aux 0
line vty 0 4
password *******
login
!
end
Router#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Because you want to block/log traffic that originates on the INside . . no the outside
ASKER
One more question regarding
interface Fast0
ip access-list STOPSPAM in
Since the potential spam is going outbound, it wouldn't be ip access-list STOPSPAM out? Isn't it an outbound packet?
interface Fast0
ip access-list STOPSPAM in
Since the potential spam is going outbound, it wouldn't be ip access-list STOPSPAM out? Isn't it an outbound packet?
As far as the fast ethernet is concerned, it is coming inbound. Now if you were to apply it on the serial interface, then it would've been outbound.
The ingress and egress are with respect to the interface. Just to add to Lrmoore's comments (he had answered it all), why you want to apply it to the fa interface is because, that way your traffic is analyzed and dropped at the entry point itself, otherwise if you apply it on the outbound interface, the router would have to process the packet and then drop it (Processing in a sense, routing needs to be done and if nat is enabled that needs to be done as well).
Cheers,
Rajesh
The ingress and egress are with respect to the interface. Just to add to Lrmoore's comments (he had answered it all), why you want to apply it to the fa interface is because, that way your traffic is analyzed and dropped at the entry point itself, otherwise if you apply it on the outbound interface, the router would have to process the packet and then drop it (Processing in a sense, routing needs to be done and if nat is enabled that needs to be done as well).
Cheers,
Rajesh
I like to use the analogy of a box and doormen.
Think of the router as a box. Each interface is a door. From outside the box, all doors say "IN" from inside the box, all doors say "OUT". If you place an acl "in" then the doorman is stationed outside the door checking ID's as packets come IN.
Only authorized packets get inside where there is a tour guide (route processor) to show them the way to the next interface to get OUT to the next hop router. Some packets get new color tags (perhaps natted) as they go out the door because the next hop router only recognizes blue tags.
Some packets can come in door#1 and are only allowed out door #3, so there is also a bouncer in the box along with the tour guide. His instructions are to only let packets with red tags go out door#2, all blue tags go out door #3 (gently guided by the tour guide, no need for bouncer) but all others can go wherever they need to. This is an "out" acl on door #2 and maybe door #4.
The rule of thumb is to place the restrictions as close to the packet origination as possible. The only authorized SMTP packets must come from the mail server, else the doorman never lets them "in" the door to then have to be kicked out by the bouncer inside. Too much work for the one bouncer (CPU) when the doorman could have just turned them away outside.
Hope this helps.
Think of the router as a box. Each interface is a door. From outside the box, all doors say "IN" from inside the box, all doors say "OUT". If you place an acl "in" then the doorman is stationed outside the door checking ID's as packets come IN.
Only authorized packets get inside where there is a tour guide (route processor) to show them the way to the next interface to get OUT to the next hop router. Some packets get new color tags (perhaps natted) as they go out the door because the next hop router only recognizes blue tags.
Some packets can come in door#1 and are only allowed out door #3, so there is also a bouncer in the box along with the tour guide. His instructions are to only let packets with red tags go out door#2, all blue tags go out door #3 (gently guided by the tour guide, no need for bouncer) but all others can go wherever they need to. This is an "out" acl on door #2 and maybe door #4.
The rule of thumb is to place the restrictions as close to the packet origination as possible. The only authorized SMTP packets must come from the mail server, else the doorman never lets them "in" the door to then have to be kicked out by the bouncer inside. Too much work for the one bouncer (CPU) when the doorman could have just turned them away outside.
Hope this helps.
ASKER
Thanks for the clarification, very good analogy for future reference.
ASKER
Thanks for the quick reply! Just for my understanding, why would you tie the access-list to Fast0 inside? I thought it would be tied to Serial0 inside, since Serial0 is used for external access.
Thanks again