Avatar of gamutgroup
gamutgroupFlag for Australia asked on

Cisco 857W block outgoing smtp from all but mail server

I've had a look at the solution described in https://www.experts-exchange.com/Security/Software_Firewalls/Q_22083224.html, and it's *almost* working but not quite. We have a similar situation in that some user has managed to infect at least one PC with a spambot. Worst of all, it doesn't appear to have been found yet, so it's still spamming away. We want to both block current attempts, and provide a framework to stop it happening in future.

I've implemented the following access list, but it's currently blocking all outgoing SMTP, regardless of the source.  The lines I'm putting in are as follows:

access-list 100 permit tcp 192.168.200.200 0.0.0.0 any eq smtp
access-list 100 deny tcp any any eq smtp
access-list 100 permit ip any any
int dialer 0
ip access-group 100 out

However, after implementing this, looking at the show access-list shows all outgoing is blocked, and attempts to use SMTP out are blocked. I am a Cisco novice (the router was put in place by a 3rd party tech who has said he doesn't know how to do this) Can anyone help me with what I am missing?

The result from a show access-list is as follows:
Extended IP access list 100
    10 permit tcp host 192.168.200.200 any eq smtp
    20 deny tcp any any eq smtp (21 matches)
    30 permit ip any any (69 matches)
Software FirewallsRouters

Avatar of undefined
Last Comment
gamutgroup

8/22/2022 - Mon
memo_tnt

hi

apply the access group (outbound) to ur internal interface ??
or
int dialer 0
ip access-group 100 in

BR
ASKER
gamutgroup

Just tried that. It ends up allowing SMTP from all PC's in the office. (I'm assuming that you mean for me to remove the "out" version from the interface first?)
memo_tnt

YES
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
gamutgroup

I'm just thinking, is the problem that I'm applying the access list to the wrong interface? Perhaps I need to apply it at the lan side, rather than on the dialer. The question is, how do I apply it to the LAN side? I've done a heck of a lot of googling etc, but, like many documentation you seem to find, the answers all seem to assume a certain level of knowledge, and don't seem to include the basix steps or information.

Is there a interface that I can specify that will be on the LAN side, e.g. the interface which has the LAN IP of the router? I see fast ethernet ports, but I assume they're the four ports on the router itself, which leves me with quite a few VLAN etc.
memo_tnt

check this comments about this issue:

https://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24069551.html

plz advise; does it work ok when u apply ACL as i posted before ??


BR
ASKER
gamutgroup

I have read that post, and while it is helping me to understand how the filter is applied, it doesn't really seem to provide me any pointers as to my specific situation.

My questions are:
1. Why, when I put the above access list on dialer 0 interface (out) does it block all SMTP? From what I can see, the rule should allow IP 192.168.200.200 out.
2. If I put the access list on dialer 0 (in) it blocks nothing. Why would that be?
3. I tried putting the access list on the vlan 1 interface (which has the description "customer lan interface") it does nothing. I've tried with both in and out options. (removing the previous access-group assignation first)
4. How do I decide what interface I should be applying this access list to?

I'm frustrated at the person who put the router in in the first place (3rd party) since they don't know how to do what seems like it should be quite simple. I can see how the Cisco is meant to work, and I understand the basic concepts for what seems like it should be a simple access list, and yet I'm failing somewhere in the application. I've wasted over 5 hours trying to put a simple rule into a router that on several other models we deal with I could have had in place in 5 minutes.

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
memo_tnt

Hi

plz explain what do u mean by this ::

access-list 100 permit tcp 192.168.200.200 0.0.0.0 any eq smtp

??
ASKER
gamutgroup

I'm trying to allow the mail server (IP 192.168.200.200) to be the only PC in the network to be allowed to send SMTP traffic.  From the thread I linked in my original post, this was how it was described to set up the access-list. I have the command set PDF downloaded, and I set up the extended access-list the way it was described.

As I stated, I'm no expert in Cisco configuration; I'd rather not have to do this but the company who provided the router to our client doesn't know how to do this. If my original access-list definition is wrong, then please tell me what it should read. I just want to get this issue resolved and the client running again.

The goal:
1. Block all outgoing SMTP traffic from all PC's (except the mail server) on the LAN.
2. Enable the mail server (IP 192.168.200.200) to be the only computer on the LAN to send SMTP data.

ASKER CERTIFIED SOLUTION
memo_tnt

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
gamutgroup

When I try to use the "inside" part of the command, I receive the "Invalid Input detected" and the marker points to the "S" in "inside".
Your help has saved me hundreds of hours of internet surfing.
fblack61
memo_tnt

i meant ur inside interface
may : ethernet 0 or fastether0 ??

BR
ASKER
gamutgroup

There's four fast ethernet ports, (0/1/2/3) and two of them show as active. However, using the sh interface brief only has an IP address assigned to the dialer interface, even though the router definitely has an IP address. (It's acting as a gateway, and I can ping it or try to access it via a web browser)
memo_tnt

plz post ur current running config.

???


inside interface  should be:

!
interface Vlan1
ip access-group 100 in
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
gamutgroup

I've managed to get this working I as far as I can tell. The inside interface was BVI1 (whatever that is) and using your above structure appears to have correctly implemented the block. The mail server is able to sent mail, and other PC's in the network are unable to.

For reference, I used the SH IP INT BRIEF command to list all the interfaces and find the one that had the LAN IP. (must have hit the wrong key and cut the listing short last time I did it)