?
Solved

Block port 25 on Cisco 1811 router

Posted on 2009-02-09
8
Medium Priority
?
1,393 Views
Last Modified: 2012-05-06
Hi !

I would like to block traffic from inside to ousite on port 25 except from 2 machines.

I already did the best I could myself but it's not working

Here's a copy of my running config.

Router is : Cisco1811
Inside interface is : Vlan1
Outside Interface is : FastEthernet0

!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 $1$b6A8$U0SgPxLNF9aj9yXQkh7zK1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa authorization network sdm_vpn_group_ml_2 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 10.10.10.7 
   default-router 10.10.10.1 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name domainname.ca
ip name-server 24.201.245.77
ip name-server 24.200.241.37
ip inspect audit-trail
ip inspect name SDM_LOW appfw SDM_LOW
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
appfw policy-name SDM_LOW
  application http
!
!
crypto pki trustpoint TP-self-signed-1133324299
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1133324299
 revocation-check none
 rsakeypair TP-self-signed-1133324299
!
!
crypto pki certificate chain TP-self-signed-1133324299
 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  quit
username mlebel privilege 15 secret 5
 
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 group 2
!
crypto isakmp policy 9
 hash md5
 authentication pre-share
crypto isakmp key my-key address an.ip.address.here no-xauth
!
crypto isakmp client configuration group vpnbase
 key vpn-key
 dns 10.10.10.7
 pool SDM_POOL_2
 acl 103
 save-password
 split-dns umcb.local
 max-users 9
 netmask 255.255.255.0
 banner ^CBienvenu sur le Réseau Privé Virtuel (VPN) d'Urgence Médicale Code Bleu.
Welcome to the Urgence Médicale Code Bleu Virtual Private Network.
Ce VPN est disponible pour les usagés autorisés seulement.
Authorized users only.
 
Le département des technologies de l'information va enregistrer votre session VPN.
Your VPN session will be monitored by the IT department.
www.urgencemedicale.ca
----------------    ^C
crypto isakmp profile sdm-ike-profile-1
   match identity group vpnbase
   client authentication list sdm_vpn_xauth_ml_2
   isakmp authorization list sdm_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set transform-set-martin esp-3des esp-md5-hmac 
!
crypto ipsec profile SDM_Profile1
 set security-association lifetime seconds 3600
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map crypto-map-martin 10 ipsec-isakmp 
 set peer an.ip.address.here
 set transform-set transform-set-martin 
 match address 109
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address my.static.ip.address 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1450
 duplex auto
 speed auto
 crypto map crypto-map-martin
!
interface FastEthernet1
 description $ETH-WAN$
 ip address 69.70.172.26 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 crypto map crypto-map-martin
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template2 type tunnel
 description VPN Des Employés
 ip unnumbered FastEthernet0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group sdm_vlan1_in in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1350
!
interface Vlan2
 ip address 10.10.100.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
!
ip local pool SDM_POOL_1 10.10.10.90 10.10.10.99
ip local pool SDM_POOL_2 10.10.20.30 10.10.20.39
ip route 0.0.0.0 0.0.0.0 69.70.158.201
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.10.5 995 interface FastEthernet0 995
ip nat inside source static tcp 10.10.10.5 443 interface FastEthernet0 443
ip nat inside source static tcp 10.10.10.5 110 interface FastEthernet0 110
ip nat inside source static tcp 10.10.10.5 80 interface FastEthernet0 80
ip nat inside source static tcp 10.10.10.6 3389 interface FastEthernet0 3333
ip nat inside source static tcp 10.10.10.6 4444 interface FastEthernet0 4444
ip nat inside source static udp 10.10.10.14 10000 interface FastEthernet0 10000
ip nat inside source static tcp 10.10.10.127 3389 interface FastEthernet0 1234
ip nat inside source static tcp 10.10.10.165 3389 interface FastEthernet0 1235
ip nat inside source static tcp 10.10.10.145 3389 interface FastEthernet0 1236
ip nat inside source static tcp 10.10.10.231 3389 interface FastEthernet0 1237
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended sdm_vlan1_in
 remark auto generated by SDM firewall configuration
 remark SDM_ACL Category=1
 remark Permet l'envoie de courriel a partir d'exchange 
 permit tcp host 10.10.10.5 eq smtp any
 remark Permet l'envoie de courriel a partir du VPS
 permit tcp host 10.10.10.4 eq smtp any
 remark Restrein le Traffic SMTP
 deny   tcp any eq smtp any
 deny   ip 69.70.158.200 0.0.0.3 any
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 permit ip any any
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 69.70.158.200 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.10.40.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit udp host 66.129.159.234 host my.static.ip.address eq non500-isakmp
access-list 101 permit udp host 66.129.159.234 host my.static.ip.address eq isakmp
access-list 101 permit esp host 66.129.159.234 host my.static.ip.address
access-list 101 permit ahp host 66.129.159.234 host my.static.ip.address
access-list 101 permit udp any host my.static.ip.address eq non500-isakmp
access-list 101 permit udp any host my.static.ip.address eq isakmp
access-list 101 permit esp any host my.static.ip.address
access-list 101 permit ahp any host my.static.ip.address
access-list 101 permit udp any host my.static.ip.address eq 10000
access-list 101 permit tcp any host my.static.ip.address eq www
access-list 101 permit tcp any host my.static.ip.address eq 995
access-list 101 permit tcp any host my.static.ip.address eq pop3
access-list 101 permit tcp any host my.static.ip.address eq 3333
access-list 101 permit tcp any host my.static.ip.address eq 4444
access-list 101 permit tcp any host my.static.ip.address eq 3389
access-list 101 permit tcp any host my.static.ip.address eq 1234
access-list 101 permit tcp any host my.static.ip.address eq 1235
access-list 101 permit tcp any host my.static.ip.address eq 1236
access-list 101 permit tcp any host my.static.ip.address eq 1237
access-list 101 permit tcp any host my.static.ip.address eq 3369
access-list 101 permit tcp any host my.static.ip.address eq 443
access-list 101 permit udp host 24.200.241.37 eq domain host my.static.ip.address
access-list 101 permit udp host 24.201.245.77 eq domain host my.static.ip.address
access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any host my.static.ip.address echo-reply
access-list 101 permit icmp any host my.static.ip.address time-exceeded
access-list 101 permit icmp any host my.static.ip.address unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
access-list 109 permit ip 10.10.10.0 0.0.0.255 10.10.40.0 0.0.0.255
access-list 110 remark Split Tunnel For VPN
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 remark 2
access-list 110 permit ip any any
access-list 121 remark SDM_ACL Category=16
access-list 121 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 121 deny   ip 10.10.10.0 0.0.0.255 10.10.40.0 0.0.0.255
access-list 121 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 121
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 access-class 102 in
 transport input telnet ssh
line vty 5 15
 access-class 102 in
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Open in new window

0
Comment
Question by:martinlebel
7 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 23593774
Do you mean that you only want 2 machines on the inside to be able to go to a port 25 on the outside?

Good luck,
SteveJ
0
 

Author Comment

by:martinlebel
ID: 23593872
Yes.
Is your good luck a way to tell me it's impossible to do ?
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 23593944
Har! No. Just a general "good luck".

So you want only 10.10.10.4 and 10.10.10.5 to have connections to the outside world on TCP port 25.  I see your entries in the access list but I don't see that access list applied to an interface? Am I scanning your config too quickly?

Steve
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:martinlebel
ID: 23594483
it may be possible that the access list is not applied to my interface. I'm not a cisco expert so I didin't knew I had this step to do.

Can you show me how to do ti please
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 23595092
I scanned your config too quickly. The access list is applied the VLAN1 interface. So, what's the result? I am guessing that if you are posting here it isn't working?

I have to leave, I will check back tomorrow. Sorry I can't be of more help today.

Steve
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 32997143
Hi, the config seems good....
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 2000 total points
ID: 33231750

Just change your inside accesslist to  and see

ip access-list extended sdm_vlan1_in
permit tcp host 10.10.10.5  any eq smtp
permit tcp host 10.10.10.4  any eq smtp

before add above lines first delete those entries
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up SSH Cisco We are all told that you should not use Telent for connecting to devices because it is unsecure and all clear text. Much better is to use SSH, but it can seem a bit of a challenge setting it all up and especially in a small n…
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question