Solved

Cisco and restricting SMTP access

Posted on 2009-05-18
8
489 Views
Last Modified: 2012-06-27
Dear all,
I am not a Cisco expert and that is why I would like to have your help in order to try to solve a very serious issue I am facing right now.
In one of the companies I support there is a DSL connection using one static IP in order to allow incoming and outgoing access for users and servers to the Internet.
During last week I got a call for some users reporting that they have trouble sending emails to the Internet. During the troubleshooting for this issue I discovered that the specific IP was banned by CBL because it was reported as a SPAM address.
The reason for the ban was a Trojan of which unfortunately I cannot remember its name!
The email server (Windows 2003 Enterprise R2 SP2, Exchange Server 2003) is properly protected with antivirus (MS Forefront) and after a scan I did with SpyBot, Malwarebytes and Microsoft Malicious Software Removal Tools it was clean of any malware or Trojan.
The next step was to scan users workstations and most of them were clear and all malware found was removed.
What I would like to do is to block all internal IPs sending email to the Internet except the one from the email server.
Using SDM and NAT, I blocked or at least I think that I blocked all internal IPs from using port 25 except the one of the email server.    
The DSL connection is made using a Cisco 876 with IOS Version: 12.4(11)T1.
I have attached ciscos configuration in order to have a more clear idea on the configuration of my router.
Is there any other way in order to see which computer is trying to send email?
Thank you very much in advance.
Nikos

Current configuration : 6802 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname xxx.xxxxxxx.gr

!

boot-start-marker

boot system flash:c870-advipservicesk9-mz.124-11.T1.bin

boot-end-marker

!

logging buffered 51200 informational

enable secret 5 $1$7uVj$9hzVed/KrvtkMRRAsBXfG.

!

no aaa new-model

clock timezone GMT+2 2

clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00

ip cef

!

!

!

!

ip domain name xxxxxxxxx.gr

ip name-server 10.X.X.248

ip name-server 10.X.X.254
 

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-3225088414

 subject-name cn=IOS-Self-Signed-Certificate-3225088414

 revocation-check none

 rsakeypair TP-self-signed-3225088414

!

crypto pki trustpoint TP-self-signed-1226696483

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1226696483

 revocation-check none

 rsakeypair TP-self-signed-1226696483

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

 subject-name e=sdmtest@sdmtest.com

 revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-3225088414

crypto pki certificate chain TP-self-signed-1226696483

 certificate self-signed 01

  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 31323236 36393634 3833301E 170D3037 30373034 31343436 

  34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

 

  quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

!

!

username xxx privilege 15 password 7 xxxxxxxxxxx

username xxx privilege 15 secret 5 xxxxxxxxxxxxxxx

!

! 

!

crypto isakmp policy 2

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key xxxxxxxx address xxx.xxx.xxx.xxx

!

!

crypto ipsec transform-set 5POINT-VPN esp-3des esp-md5-hmac 

!

crypto map SDM_CMAP_1 1 ipsec-isakmp 

 description Tunnel

 set peer xxx.xxx.xxx.xxx

 set transform-set 5POINT-VPN 

 match address 100

!

!

!

!

interface Tunnel0

 description connection to xxx

 ip address 172.X.X.X 255.255.255.0

 ip mtu 1500

 tunnel source 62.X.XX.XX

 tunnel destination 213.XX.XXX.XX

 crypto map SDM_CMAP_1

!

interface BRI0

 description ISDN Backup Interface

 no ip address

 encapsulation hdlc

 shutdown

 no cdp enable

!

interface ATM0

 no ip address

 ip route-cache flow

 no atm ilmi-keepalive

 dsl operating-mode auto 

!

interface ATM0.1 point-to-point

 description ATM Virtual Interface

 no snmp trap link-status

 pvc 8/35 

  encapsulation aal5snap

  protocol ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

 description Ethernet Port 1

 no cdp enable

!

interface FastEthernet1

 description Ethernet Port 2

 no cdp enable

!

interface FastEthernet2

 description Ethernet Port 3

 no cdp enable

!

interface FastEthernet3

 description Ethernet Port 4

 no cdp enable

!

interface Vlan1

 description Connected To LAN$FW_INSIDE$

 ip address 10.X.X.1 255.XXX.XXX.0

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

!

interface Dialer0

 description Connected To Internet$FW_OUTSIDE$

 ip address 62.X.XX.XX 255.255.255.0

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication chap pap callin

 ppp chap hostname XXXX@XXXX.GR

 ppp chap password 7 XXXXXXX

 ppp pap sent-username XXXX@XXXX.GR password 7 XXXXXXXXX

!

router rip

 passive-interface Dialer0

 network 10.X.0.X

 no auto-summary

!

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.X.0.X 255.255.255.0 Tunnel0 permanent

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source list 150 interface Dialer0 overload

ip nat inside source static tcp 10.X.X.254 4777 interface Dialer0 4777

ip nat inside source static tcp 10.X.X.254 110 interface Dialer0 110

ip nat inside source static tcp 10.X.X.254 25 interface Dialer0 25

ip nat inside source static tcp 10.X.X.254 4899 interface Dialer0 4899

ip nat inside source static tcp 10.X.X.254 53 interface Dialer0 53

ip nat inside source static tcp 10.X.X.252 80 interface Dialer0 80

ip nat inside source static tcp 10.X.X.252 8080 interface Dialer0 8080

ip nat inside source static tcp 10.X.X.252 443 interface Dialer0 443

ip nat inside source static tcp 10.X.X.252 8888 interface Dialer0 8888

ip nat inside source static tcp 10.X.X.252 990 interface Dialer0 990

ip nat inside source static tcp 10.X.X.252 989 interface Dialer0 989

!

access-list 100 remark SDM_ACL Category=20

access-list 100 permit gre host 172.X.X.X host 213.XX.XXX.XX

access-list 150 remark LOCAL LAN

access-list 150 remark SDM_ACL Category=2

access-list 150 remark Permit Server_XXXX SMTP

access-list 150 permit ip host 10.X.X.254 any

access-list 150 remark SMTP Block

access-list 150 deny   tcp any eq smtp any eq smtp log

access-list 150 permit ip 10.X.X.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

control-plane

!

banner login ^CC

-----------------------------------------------------------------------

Unauthorised Access Strictly Prohibited

This Appliance Logs All Incoming And Outgoing Traffic

If You Are An Unauthorised User Disconnect Immediately!! 

-----------------------------------------------------------------------
 

^C

!

line con 0

 no modem enable

 transport output telnet

line aux 0

 transport output all

line vty 0 4

 privilege level 15

 login local

 transport input telnet ssh

 transport output telnet ssh

!

scheduler max-task-time 5000

ntp server 207.XX.XXX.XXX source Dialer0 prefer

end

Open in new window

0
Comment
Question by:gloec
8 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 220 total points
Comment Utility
What you are trying to do won't work.  I would use an access-list on the VLAN1 interface instead such as:

conf t
ip access-list ext inside-out
permit ip host 10.x.x.254 any   <--allow SMTP server
deny tcp any any eq 25 log   <--deny SMTP from any other host and "log" the attempt
permit ip any any  <--allow all other traffic

int vlan1
ip access-group inside-out in
0
 
LVL 6

Assisted Solution

by:Krisdeep
Krisdeep earned 80 total points
Comment Utility
You can do two things

1)Setup top talkers in cisco ADSM

2)Download wire shark and what you do is connect your cable from the cisco(ADSL Modem) to the HUB and connect a cable from your switch(Network) to the HUB. Also connect your laptop to the hub and run wire shark to snif the packers. The reason is used a HUB is to braodcast the traffic so i can anaklze it.I have used this methods in clients site that did not have that top talkers funtionality and succesfully tracked down the trojans.

http://www.wireshark.org/
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 200 total points
Comment Utility
Two problems:

1.  This line:  "access-list 150 deny   tcp any eq smtp any eq smtp log" is incorrect.  It should read "access-list 150 deny   tcp any any eq smtp log"  (You should not be matching against source port.)
2.  The access list 150 does not appear to be applied to an interface:
interface vlan1
ip access-group 150 in
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
After this, the SMTP traffic should be logged.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 4

Expert Comment

by:nasirsh
Comment Utility
Should be like this

access-list 150 remark LOCAL LAN
access-list 150 remark SDM_ACL Category=2
access-list 150 remark Permit Server_XXXX SMTP
access-list 150 permit ip host 10.X.X.254 any
access-list 150 remark SMTP Block
access-list 150 permit ip any any
access-list 150 deny  tcp any any eq smtp  log

Hope this helps.
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Er... no.

In your example, the deny SMTP comes after permit all, so it won't deny anything.
0
 

Author Comment

by:gloec
Comment Utility
I would like to thank you all for your replies. I made the corrections to the access list and the matches I got for the SMTP is only from the mail server. I also enabled the top talkers feature and I would like to ask where I could find a reference for the protocol numbers I get.
Thank you very much in advance.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 220 total points
Comment Utility
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now