Solved

How do I block outgoing smtp traffic from all devices except my Exchange Server?

Posted on 2008-10-13
20
1,061 Views
Last Modified: 2012-06-27
Hello,

We are working on reconfiguring our 1841 to block SMTP traffic from all devices inside our network except our Exchange server (we were recently blacklisted due to a spambot).  I know the basics, but when I initially applied an ACL to try to only permit outbound SMTP traffic from my Exchange server, I blocked RWW and OWA as well, so I am hoping someone can help me properly implement that.

Additionally, when the router was initially configured, we didn't have extra outside IP addresses, so we used NAT to direct outside traffic to different devices inside by ports.  This has worked well, but we now have a block of 16 addresses available to us.  I am wondering if it there would be any advantage at this point in reconfiguring to make use of the additional outside IP's, or should I just stay with nat'ing the one address to the different machines.


Here are the interface configurations:

interface FastEthernet0/0
 description -----> Access to MEPs Associates, LLC LAN
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description -----> Connection to CWCI-EAU-GW S3/0/0/3:0
 ip address 209.94.170.122 255.255.255.252
 ip nat outside
 service-module t1 timeslots 1-24


Here are the NAT statements in our current configuration... 192.168.5.100 is the SBS (Exchange) server; 192.168.5.6 is our spam filter:

ip nat inside source list 1 interface Serial0/0/0 overload
ip nat inside source static tcp 192.168.5.100 21 209.94.170.122 21 extendable
ip nat inside source static tcp 192.168.5.6 25 209.94.170.122 25 extendable
ip nat inside source static tcp 192.168.5.100 80 209.94.170.122 80 extendable
ip nat inside source static tcp 192.168.5.100 110 209.94.170.122 110 extendable
ip nat inside source static tcp 192.168.5.100 443 209.94.170.122 443 extendable
ip nat inside source static tcp 192.168.5.100 3389 209.94.170.122 3389 extendable
ip nat inside source static tcp 192.168.5.100 4125 209.94.170.122 4125 extendable



There are two access lists, but I can't tell where they are being applied.  the IP addresses in ACL 23 all belong to the ISP... not sure what they are there for, and I can't find anyone here that knows, either.

access-list 1 permit 192.168.5.0 0.0.0.255
access-list 23 permit 209.94.160.250
access-list 23 permit 209.94.170.116 0.0.0.3
access-list 23 permit 209.94.170.120 0.0.0.3



I originally tried to permit outgoing SMTP traffic from my SBS server and block it from everywhere else by adding the following ACL and applying it to FastEthernet 0/1:

access-list 102 permit tcp 192.168.5.100 0.0.0.0 any eq smtp
access-list 102. deny tcp any any eq smtp
access-list 102 permit ip any any

interface FastEtherenet0/1
ip access-group 102 in

I am a router newbie, so my commands might be out of whack, or I may be totally off base with the attempt.  Regardless, when I applied this ACL, I dropped our RWW and OWA connections to the inside.  At this point, I thought I should ask someone for help.

Thanks!
Scott

0
Comment
Question by:corptech
  • 10
  • 9
20 Comments
 
LVL 26

Accepted Solution

by:
Soulja earned 250 total points
ID: 22705019
All ACL don't necessarily apply to just interfaces. I don't see the first two acl's applied to your interfaces, so they must be used for NAT, redistribution, or something else. As for your ACL:



You Put:
access-list 102 permit tcp 192.168.5.100 0.0.0.0 any eq smtp
access-list 102. deny tcp any any eq smtp
access-list 102 permit ip any any

Interface FastEtherenet0/1
ip access-group 102 in


Try:

access-list 102 permit tcp host 192.168.5.100 any eq smtp
access-list 102. deny tcp any any eq smtp
access-list 102 permit ip any any

Interface FastEtherenet0/0
ip access-group 102 in

0
 
LVL 2

Author Comment

by:corptech
ID: 22705060
I will try that, soulja...

and the fe0/1 was a typo.. i did apply it to 0/0

can you explain to me the difference in the first lines of the access-list 102?
0
 
LVL 26

Expert Comment

by:Soulja
ID: 22705139
I just realized that after I posted it. It is the same. Sorry.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 22705140
That being said could you post your entire config?
0
 
LVL 2

Author Comment

by:corptech
ID: 22705279
Sure... here it is:


Solarus_MEPs-GW#sh run
Building configuration...

Current configuration : 2331 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec

!
hostname Solarus_MEPs-GW
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name solarus.net
!
!
!
interface FastEthernet0/0
 description -----> Access to MEPs Associates, LLC LAN
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 description -----> Connection to CWCI-EAU-GW S3/0/0/3:0
 ip address 209.94.170.122 255.255.255.252
 ip nat outside
 service-module t1 timeslots 1-24
!
ip classless
ip route 0.0.0.0 0.0.0.0 209.94.170.121
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Serial0/0/0 overload
ip nat inside source static tcp 192.168.5.100 21 209.94.170.122 21 extendable
ip nat inside source static tcp 192.168.5.6 25 209.94.170.122 25 extendable
ip nat inside source static tcp 192.168.5.100 80 209.94.170.122 80 extendable
ip nat inside source static tcp 192.168.5.100 110 209.94.170.122 110 extendable
ip nat inside source static tcp 192.168.5.100 443 209.94.170.122 443 extendable
ip nat inside source static tcp 192.168.5.100 3389 209.94.170.122 3389 extendable
ip nat inside source static tcp 192.168.5.100 4125 209.94.170.122 4125 extendable
!
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 23 permit 209.94.160.250
access-list 23 permit 209.94.170.116 0.0.0.3
access-list 23 permit 209.94.170.120 0.0.0.3
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
end


I see now that that access-list 23 is being used to define who can telnet in.

Scott
0
 
LVL 26

Expert Comment

by:Soulja
ID: 22705750
Try:

access-list 102 permit tcp host 192.168.5.100 any
access-list 102. deny tcp any any eq smtp
access-list 102 permit ip any any

Interface FastEtherenet0/0
ip access-group 102 in
0
 
LVL 2

Author Comment

by:corptech
ID: 22705830
I will... try it and let you know.

feel like teaching a bit?

Why the permit ip any any at then end of the ACL?  isn't that redundant, or is ip traffic blocked by default?

Scott
0
 
LVL 26

Expert Comment

by:Soulja
ID: 22706020
There is an implicit deny any any at the end of cisco acl's
0
 
LVL 2

Author Comment

by:corptech
ID: 22706065
thanks...

I will make the changes, but we can't put it into production until Friday night, so I will update the ticket on Monday.

By the way, did you see any advantages to using more of our block of 16 outside IP addresses, or, since our configuration is so simple, is the existing nat statements the way to go?

Thanks again for your help.

Scott
0
 
LVL 26

Expert Comment

by:Soulja
ID: 22706129
Dang,

I didn't even see the spam filter in there:

access-list 102 permit tcp host 192.168.5.56 eq smtp
access-list 102. deny tcp any any eq smtp
access-list 102 permit ip any any.

As for the other ip. If you plan making more boxes available for public access then yes I can see where you may want to use the other public ips, but based on your NAT you have only two devices being accessed from the outside.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:corptech
ID: 22706137
I appreciate your help, Soulja.
0
 
LVL 26

Expert Comment

by:Soulja
ID: 22706222
Correction, I wish EE had an edit button:

access-list 102 permit tcp host 192.168.5.56 any eq smtp
access-list 102. deny tcp any any eq smtp
access-list 102 permit ip any any.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22708643
Ditto... EE needs an edit button, at lease for your post when it's the last one on the thread.
0
 
LVL 2

Author Comment

by:corptech
ID: 22711476
Soulja, I was looking over your earlier responses this morning.  You said that I should try this:

Try:

access-list 102 permit tcp host 192.168.5.100 any
access-list 102. deny tcp any any eq smtp
access-list 102 permit ip any any

Interface FastEtherenet0/0
ip access-group 102 in

Shouldn't that first line define the port we are permitting to the host?
access-list 102 permit tcp host 192.168.5.100 any eq smtp

Just checking before I plug the entries in...

Scott
0
 
LVL 26

Expert Comment

by:Soulja
ID: 22711566
Based on your question you stated that you are trying to block smtp traffic leaving your network except for your exchange box. After looking at your config it looks like you spam filter is hosting the smtp port so I changed the acl on my last comment.

I wondered if you wanted to block all incoming smtp traffic except for one host. If so,


access-list 103 permit tcp any host 209.94.170.122 eq smtp
access-list 103 deny any any eq smtp
access-list 103 permit ip any any

Interface serial0/0/0
ip access-group 103 in


0
 
LVL 2

Author Comment

by:corptech
ID: 22711637
ok... I see that I am confusing myself a bit

Just to reiterate, I want to block all outgoing smtp traffic from inside my network, except if it is originating at my exchange server, 192.168.5.100.

To my knowlege, my spam filter, 192.168.5.6, doesn't touch outgoing email traffic at all... it is just the receiving address for all incoming email, which it filters and passes down to my exchange server.  I admit that I am very new to the routing thing, but should the spam filter be involved in this ACL at all?

Please note that I am not second-guessing you... I just want to be sure that I have stated things clearly.  

Scott
0
 
LVL 26

Expert Comment

by:Soulja
ID: 22711951
Ahh.. .okay. Now it makes sense to me.

You original acl looks fine then. I was misunderstanding what you were trying to accomplish.
0
 
LVL 2

Author Comment

by:corptech
ID: 22712075
cool... just so I am clear here

access-list 102 permit tcp host 192.168.5.100 any
access-list 102. deny tcp any any eq smtp
access-list 102 permit ip any any

Interface FastEtherenet0/0
ip access-group 102 in

This is how it ought to look then?  My one concern is that applying this acl to the inside interface will affect my nat statements above... we have a bunch of mobile employees who connect via Remote Web Workplace, Outlook Web Access, and Terminal Services, and I am worried about disrupting those connections.

Thanks for your help.

Scott
0
 
LVL 26

Expert Comment

by:Soulja
ID: 22712170
You can add

access-list 102 permit tcp any any established

at the beginning if you are concerned, but I don't see any access list on your outside interface, so I assume that it is wide open right now.



0
 
LVL 2

Author Comment

by:corptech
ID: 22712179
I will keep that in mind.

Thanks
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now