[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 610
  • Last Modified:

Deny all outbound e-mail from LAN side except from one IP

Using a Cisco 806 router, I want to block all outbound e-mail traffic from the LAN except for that from one IP. In addition, all denied outbound e-mail traffic is to be added to the syslog.

Info:
LAN IP's: 192.168.1.1 to 192.168.1.254
Router IP: 192.168.1.254
IP Allowed to send e-mail: 192.168.1.100

I think I have an idea on how to do this, but would like some help from the experts first.
0
TunaMaxx
Asked:
TunaMaxx
  • 7
  • 5
  • 4
  • +2
2 Solutions
 
NoodlesWIUCommented:
Call me crazy, but isnt this usually accomplished through a seperate firewall such as a PIX or an ISA server?
0
 
avilovCommented:
you need something like that in your access list that applied on the outgoing inteface

access-list nnn permit tcp host 63.36.9. any eq 25
0
 
avilovCommented:
oops :) make it

access-list nnn permit tcp host  192.168.1.100 any eq 25
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
avilovCommented:
sorry, forgot about the logging requirement

access-list nnn permit tcp host  192.168.1.100 any eq 25
access-list nnn deny tcp 192.168.1.1 0.0.0.255 any eq 25 log
0
 
TunaMaxxAuthor Commented:
Thanks. I'll go try this out.

By the way, the 806 is a PIX firewall, but whenever I call it that, nobody can find info on it and it confuses them!
0
 
lrmooreCommented:
PIX firewall is probably 506 not 806.
Anyway, avilov has half the solution. PIX uses subnet masks in acls, not wildcards as avilov's suggestion.

allow the one server out to port 25
deny all other local hosts out to port 25 - log as an option
allow all other traffic <== very important!
apply the acl to the inside interface

access-list inside_access_out permit tcp host 192.168.1.100 any eq 25
access-list inside_access_out deny tcp 192.168.1.0 255.255.255.0 any eq 25 log
access-list inside_access_out permit ip 192.168.1.0 255.255.0 any
access-group inside_access_out in interface inside
0
 
Pete LongConsultantCommented:
if it looks like this http://www.usedrouter.com/productpics/Cisco806.jpg its a router
Though I agree with lrmoore does it look like this http://www.1st-computer-networks.co.uk/img/pix506.jpg if so then its a Pix 506
0
 
TunaMaxxAuthor Commented:
Hello all, It's definitely this one: http://www.usedrouter.com/productpics/Cisco806.jpg

But Cisco says this about it: "The Cisco 806 Router includes a stateful inspection firewall, optional VPN IP Security Triple Digital Encryption Standard (IPSec 3DES) encryption software, and quality of service (QoS) features..."

I could be (and probably am) wrong about the PIX designation, but that's what it was sold to us as... Maybe I'm the reason people get so confused? ;)

I'll try the solutions provided and see what I get.

Thanks
0
 
lrmooreCommented:
So it is not a PIX and there is a difference in syntax between your 806 IOS router and PIX FOS

The proper IOS syntax would be:

access-list 101 permit tcp host 192.168.1.100 any eq 25
access-list 101 deny tcp 192.168.1.0 0.0.0.255 any eq 25 log
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Interface Ethernet 0
 ip access-list 101 in
0
 
avilovCommented:
It's a router. IOS has all mentioned features built in.

as for your original question the if you have already an access list on the outgoing interface than just add

access-list nnn permit tcp host  192.168.1.100 any eq 25
access-list nnn deny tcp 192.168.1.1 0.0.0.255 any eq 25 log

if you don't have it

add

access-list nnn permit tcp host  192.168.1.100 any eq 25
access-list nnn deny tcp 192.168.1.1 0.0.0.255 any eq 25 log
access-list nnn permit ip any any

where nnn is the number of your access list 102 for example

you also need to add the following command to the outgoing interface config

ip access-group nnn out
0
 
TunaMaxxAuthor Commented:
Thank you very much.

I see that you both ended up with basically the same solution except which interface it is applied to. Is there a benefit to applying the list to E0 in versus E1 out?
0
 
lrmooreCommented:
Yes. You always want to apply a restrictive acl on the interface nearest the users. In my example, I use the closest-to-users LAN interface "in". This is like putting a bouncer at the door, the traffic never even gets in.
Avilov's example puts the acl on the WAN interface "out". So all traffic gets in through the doorman, the activities director looks at each one to see which door they need to go out of and points them to the back door (WAN), and then the busy bartender (CPU) has to NAT them all, and another dapper doorman keeps those packets from going out the back door because they are on the list. Oh, but wait, now they've already been natted, so their source IP is no longer the private 192.168.1.xx, so they bypass the list and get sent on their merry way. Why even let them in in the first place to let all the internal processes have to deal with them?
0
 
TunaMaxxAuthor Commented:
You c ouldn't have picked a better analogy... I was a doorman for nearly a decade. Your scenario makes perfect sense!
0
 
avilovCommented:
lrmoore, I might misread the original post, but I didn't see any mentioning of  NAT on the router?

tunaMaxx if that is the case than l\rmoore is correct about where to place the ACL. if router is just passing packets, than there is no difference.
0
 
TunaMaxxAuthor Commented:
While I don't think it was mentioned, yes we NAT on the router. Sorry for any confusion.
0
 
TunaMaxxAuthor Commented:
I cranked up the points a little bit because you were both very helpful. But lrmoore's 'doorman' analogy just opened up a whole new level of understanding for me.
0
 
TunaMaxxAuthor Commented:
oops! I forgot to say thanks...

Thanks!
0
 
lrmooreCommented:
Cheers, mate!
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 7
  • 5
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now