[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Help Restricting  SMTP traffic

Posted on 2007-07-25
3
Medium Priority
?
278 Views
Last Modified: 2010-04-09
How do I restrict SMTP traffic outbound to only a mail server?  We are being blacklisted due to an infected computer.  Apparently this computer is sending out SMTP traffic.  Until I track down the PC, how do I stop this traffic from getting outbound?

We have a 1751 Cisco router.  Here are some configs:

ip domain name junius. .org
ip cef
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group pppoe
 request-dialin
  protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key 6 Organization address x.x.x.x 255.255.255.0
crypto isakmp identity hostname
!
crypto isakmp peer address x.x.x.x
!
!
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map aptmp 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set aptset
 match address 103
!
!
!
interface Vif1
 no ip address
!
interface ATM0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface FastEthernet0/0
 ip address 172.x.x.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 speed auto
 half-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Virtual-PPP1
 no ip address
!
interface Virtual-Template1
 no ip address
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap callin
 ppp chap hostname
 ppp chap password
 ppp pap sent-username
 crypto map aptmp
!
interface Virtual-TokenRing1
 no ip address
 ring-speed 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
!
!
!
ip access-list extended ipsec
access-list 1 permit 172.x.0.0 0.15.255.255
access-list 102 permit tcp host x.x.x.x any eq 22
access-list 102 permit tcp host x.x.x.x any eq 22
access-list 103 permit ip 172.x.x.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 130 deny   ip 172.16.3.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 130 permit ip 172.16.3.0 0.0.0.255 any
dialer-list 1 protocol ip permit

route-map nonat permit 10
 match ip address 130
0
Comment
Question by:gdf99
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 19569145
access-list 111 permit tcp host 172.16.3.xxx any eq 25   <== xxx= your mail server
access-list 111 deny tcp any any eq 25 log   <== log so you can catch the culprit
access-list 111 permit ip any any
interface fast 0/0
 ip access-group 111 in

Done.
0
 

Author Comment

by:gdf99
ID: 19575233
Lrmoore - Is the following line necessary?  I tried to input the following line and router won't accept it.  
Ip access-group 111 in

Thanks
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19575407
Yes, it is necessary. You have to apply the access-list to the interface. This is an interface config:
router(config)#interface fast 0/0
router(config-if)#ip access-group 111 in
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question