gdf99
asked on
Help Restricting SMTP traffic
How do I restrict SMTP traffic outbound to only a mail server? We are being blacklisted due to an infected computer. Apparently this computer is sending out SMTP traffic. Until I track down the PC, how do I stop this traffic from getting outbound?
We have a 1751 Cisco router. Here are some configs:
ip domain name junius. .org
ip cef
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 Organization address x.x.x.x 255.255.255.0
crypto isakmp identity hostname
!
crypto isakmp peer address x.x.x.x
!
!
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map aptmp 10 ipsec-isakmp
set peer x.x.x.x
set transform-set aptset
match address 103
!
!
!
interface Vif1
no ip address
!
interface ATM0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0/0
ip address 172.x.x.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
speed auto
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Virtual-PPP1
no ip address
!
interface Virtual-Template1
no ip address
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname
ppp chap password
ppp pap sent-username
crypto map aptmp
!
interface Virtual-TokenRing1
no ip address
ring-speed 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
!
!
!
ip access-list extended ipsec
access-list 1 permit 172.x.0.0 0.15.255.255
access-list 102 permit tcp host x.x.x.x any eq 22
access-list 102 permit tcp host x.x.x.x any eq 22
access-list 103 permit ip 172.x.x.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 130 deny ip 172.16.3.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 130 permit ip 172.16.3.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 130
We have a 1751 Cisco router. Here are some configs:
ip domain name junius. .org
ip cef
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 6 Organization address x.x.x.x 255.255.255.0
crypto isakmp identity hostname
!
crypto isakmp peer address x.x.x.x
!
!
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map aptmp 10 ipsec-isakmp
set peer x.x.x.x
set transform-set aptset
match address 103
!
!
!
interface Vif1
no ip address
!
interface ATM0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0/0
ip address 172.x.x.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
speed auto
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Virtual-PPP1
no ip address
!
interface Virtual-Template1
no ip address
!
interface Dialer0
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname
ppp chap password
ppp pap sent-username
crypto map aptmp
!
interface Virtual-TokenRing1
no ip address
ring-speed 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
!
!
!
ip access-list extended ipsec
access-list 1 permit 172.x.0.0 0.15.255.255
access-list 102 permit tcp host x.x.x.x any eq 22
access-list 102 permit tcp host x.x.x.x any eq 22
access-list 103 permit ip 172.x.x.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 130 deny ip 172.16.3.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 130 permit ip 172.16.3.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 130
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, it is necessary. You have to apply the access-list to the interface. This is an interface config:
router(config)#interface fast 0/0
router(config-if)#ip access-group 111 in
router(config)#interface fast 0/0
router(config-if)#ip access-group 111 in
ASKER
Ip access-group 111 in
Thanks