Cisco 857W block outgoing smtp from all but mail server
I've had a look at the solution described in https://www.experts-exchange.com/questions/22083224/Cisco-Pix-515E-Block-outbound-SMTP.html, and it's *almost* working but not quite. We have a similar situation in that some user has managed to infect at least one PC with a spambot. Worst of all, it doesn't appear to have been found yet, so it's still spamming away. We want to both block current attempts, and provide a framework to stop it happening in future.
I've implemented the following access list, but it's currently blocking all outgoing SMTP, regardless of the source. The lines I'm putting in are as follows:
access-list 100 permit tcp 192.168.200.200 0.0.0.0 any eq smtp
access-list 100 deny tcp any any eq smtp
access-list 100 permit ip any any
int dialer 0
ip access-group 100 out
However, after implementing this, looking at the show access-list shows all outgoing is blocked, and attempts to use SMTP out are blocked. I am a Cisco novice (the router was put in place by a 3rd party tech who has said he doesn't know how to do this) Can anyone help me with what I am missing?
The result from a show access-list is as follows:
Extended IP access list 100
10 permit tcp host 192.168.200.200 any eq smtp
20 deny tcp any any eq smtp (21 matches)
30 permit ip any any (69 matches)
I've implemented the following access list, but it's currently blocking all outgoing SMTP, regardless of the source. The lines I'm putting in are as follows:
access-list 100 permit tcp 192.168.200.200 0.0.0.0 any eq smtp
access-list 100 deny tcp any any eq smtp
access-list 100 permit ip any any
int dialer 0
ip access-group 100 out
However, after implementing this, looking at the show access-list shows all outgoing is blocked, and attempts to use SMTP out are blocked. I am a Cisco novice (the router was put in place by a 3rd party tech who has said he doesn't know how to do this) Can anyone help me with what I am missing?
The result from a show access-list is as follows:
Extended IP access list 100
10 permit tcp host 192.168.200.200 any eq smtp
20 deny tcp any any eq smtp (21 matches)
30 permit ip any any (69 matches)
Last Comment
ASKER
Just tried that. It ends up allowing SMTP from all PC's in the office. (I'm assuming that you mean for me to remove the "out" version from the interface first?)
YES
ASKER
I'm just thinking, is the problem that I'm applying the access list to the wrong interface? Perhaps I need to apply it at the lan side, rather than on the dialer. The question is, how do I apply it to the LAN side? I've done a heck of a lot of googling etc, but, like many documentation you seem to find, the answers all seem to assume a certain level of knowledge, and don't seem to include the basix steps or information.
Is there a interface that I can specify that will be on the LAN side, e.g. the interface which has the LAN IP of the router? I see fast ethernet ports, but I assume they're the four ports on the router itself, which leves me with quite a few VLAN etc.
Is there a interface that I can specify that will be on the LAN side, e.g. the interface which has the LAN IP of the router? I see fast ethernet ports, but I assume they're the four ports on the router itself, which leves me with quite a few VLAN etc.
check this comments about this issue:
https://www.experts-exchange.com/questions/24069551/Inbound-outbound-ACL.html
plz advise; does it work ok when u apply ACL as i posted before ??
BR
https://www.experts-exchange.com/questions/24069551/Inbound-outbound-ACL.html
plz advise; does it work ok when u apply ACL as i posted before ??
BR
ASKER
I have read that post, and while it is helping me to understand how the filter is applied, it doesn't really seem to provide me any pointers as to my specific situation.
My questions are:
1. Why, when I put the above access list on dialer 0 interface (out) does it block all SMTP? From what I can see, the rule should allow IP 192.168.200.200 out.
2. If I put the access list on dialer 0 (in) it blocks nothing. Why would that be?
3. I tried putting the access list on the vlan 1 interface (which has the description "customer lan interface") it does nothing. I've tried with both in and out options. (removing the previous access-group assignation first)
4. How do I decide what interface I should be applying this access list to?
I'm frustrated at the person who put the router in in the first place (3rd party) since they don't know how to do what seems like it should be quite simple. I can see how the Cisco is meant to work, and I understand the basic concepts for what seems like it should be a simple access list, and yet I'm failing somewhere in the application. I've wasted over 5 hours trying to put a simple rule into a router that on several other models we deal with I could have had in place in 5 minutes.
My questions are:
1. Why, when I put the above access list on dialer 0 interface (out) does it block all SMTP? From what I can see, the rule should allow IP 192.168.200.200 out.
2. If I put the access list on dialer 0 (in) it blocks nothing. Why would that be?
3. I tried putting the access list on the vlan 1 interface (which has the description "customer lan interface") it does nothing. I've tried with both in and out options. (removing the previous access-group assignation first)
4. How do I decide what interface I should be applying this access list to?
I'm frustrated at the person who put the router in in the first place (3rd party) since they don't know how to do what seems like it should be quite simple. I can see how the Cisco is meant to work, and I understand the basic concepts for what seems like it should be a simple access list, and yet I'm failing somewhere in the application. I've wasted over 5 hours trying to put a simple rule into a router that on several other models we deal with I could have had in place in 5 minutes.
Hi
plz explain what do u mean by this ::
access-list 100 permit tcp 192.168.200.200 0.0.0.0 any eq smtp
??
plz explain what do u mean by this ::
access-list 100 permit tcp 192.168.200.200 0.0.0.0 any eq smtp
??
ASKER
I'm trying to allow the mail server (IP 192.168.200.200) to be the only PC in the network to be allowed to send SMTP traffic. From the thread I linked in my original post, this was how it was described to set up the access-list. I have the command set PDF downloaded, and I set up the extended access-list the way it was described.
As I stated, I'm no expert in Cisco configuration; I'd rather not have to do this but the company who provided the router to our client doesn't know how to do this. If my original access-list definition is wrong, then please tell me what it should read. I just want to get this issue resolved and the client running again.
The goal:
1. Block all outgoing SMTP traffic from all PC's (except the mail server) on the LAN.
2. Enable the mail server (IP 192.168.200.200) to be the only computer on the LAN to send SMTP data.
As I stated, I'm no expert in Cisco configuration; I'd rather not have to do this but the company who provided the router to our client doesn't know how to do this. If my original access-list definition is wrong, then please tell me what it should read. I just want to get this issue resolved and the client running again.
The goal:
1. Block all outgoing SMTP traffic from all PC's (except the mail server) on the LAN.
2. Enable the mail server (IP 192.168.200.200) to be the only computer on the LAN to send SMTP data.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
When I try to use the "inside" part of the command, I receive the "Invalid Input detected" and the marker points to the "S" in "inside".
i meant ur inside interface
may : ethernet 0 or fastether0 ??
BR
may : ethernet 0 or fastether0 ??
BR
ASKER
There's four fast ethernet ports, (0/1/2/3) and two of them show as active. However, using the sh interface brief only has an IP address assigned to the dialer interface, even though the router definitely has an IP address. (It's acting as a gateway, and I can ping it or try to access it via a web browser)
plz post ur current running config.
???
inside interface should be:
!
interface Vlan1
ip access-group 100 in
???
inside interface should be:
!
interface Vlan1
ip access-group 100 in
ASKER
I've managed to get this working I as far as I can tell. The inside interface was BVI1 (whatever that is) and using your above structure appears to have correctly implemented the block. The mail server is able to sent mail, and other PC's in the network are unable to.
For reference, I used the SH IP INT BRIEF command to list all the interfaces and find the one that had the LAN IP. (must have hit the wrong key and cut the listing short last time I did it)
For reference, I used the SH IP INT BRIEF command to list all the interfaces and find the one that had the LAN IP. (must have hit the wrong key and cut the listing short last time I did it)
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
apply the access group (outbound) to ur internal interface ??
or
int dialer 0
ip access-group 100 in
BR