Solved

Cisco and restricting SMTP access

Posted on 2009-05-18
8
507 Views
Last Modified: 2012-06-27
Dear all,
I am not a Cisco expert and that is why I would like to have your help in order to try to solve a very serious issue I am facing right now.
In one of the companies I support there is a DSL connection using one static IP in order to allow incoming and outgoing access for users and servers to the Internet.
During last week I got a call for some users reporting that they have trouble sending emails to the Internet. During the troubleshooting for this issue I discovered that the specific IP was banned by CBL because it was reported as a SPAM address.
The reason for the ban was a Trojan of which unfortunately I cannot remember its name!
The email server (Windows 2003 Enterprise R2 SP2, Exchange Server 2003) is properly protected with antivirus (MS Forefront) and after a scan I did with SpyBot, Malwarebytes and Microsoft Malicious Software Removal Tools it was clean of any malware or Trojan.
The next step was to scan users workstations and most of them were clear and all malware found was removed.
What I would like to do is to block all internal IPs sending email to the Internet except the one from the email server.
Using SDM and NAT, I blocked or at least I think that I blocked all internal IPs from using port 25 except the one of the email server.    
The DSL connection is made using a Cisco 876 with IOS Version: 12.4(11)T1.
I have attached ciscos configuration in order to have a more clear idea on the configuration of my router.
Is there any other way in order to see which computer is trying to send email?
Thank you very much in advance.
Nikos

Current configuration : 6802 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxx.xxxxxxx.gr
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-11.T1.bin
boot-end-marker
!
logging buffered 51200 informational
enable secret 5 $1$7uVj$9hzVed/KrvtkMRRAsBXfG.
!
no aaa new-model
clock timezone GMT+2 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
ip cef
!
!
!
!
ip domain name xxxxxxxxx.gr
ip name-server 10.X.X.248
ip name-server 10.X.X.254
 
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3225088414
 subject-name cn=IOS-Self-Signed-Certificate-3225088414
 revocation-check none
 rsakeypair TP-self-signed-3225088414
!
crypto pki trustpoint TP-self-signed-1226696483
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1226696483
 revocation-check none
 rsakeypair TP-self-signed-1226696483
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-3225088414
crypto pki certificate chain TP-self-signed-1226696483
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31323236 36393634 3833301E 170D3037 30373034 31343436 
  34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
 
  quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
!
!
username xxx privilege 15 password 7 xxxxxxxxxxx
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxx
!
! 
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxx address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set 5POINT-VPN esp-3des esp-md5-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel
 set peer xxx.xxx.xxx.xxx
 set transform-set 5POINT-VPN 
 match address 100
!
!
!
!
interface Tunnel0
 description connection to xxx
 ip address 172.X.X.X 255.255.255.0
 ip mtu 1500
 tunnel source 62.X.XX.XX
 tunnel destination 213.XX.XXX.XX
 crypto map SDM_CMAP_1
!
interface BRI0
 description ISDN Backup Interface
 no ip address
 encapsulation hdlc
 shutdown
 no cdp enable
!
interface ATM0
 no ip address
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description ATM Virtual Interface
 no snmp trap link-status
 pvc 8/35 
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 description Ethernet Port 1
 no cdp enable
!
interface FastEthernet1
 description Ethernet Port 2
 no cdp enable
!
interface FastEthernet2
 description Ethernet Port 3
 no cdp enable
!
interface FastEthernet3
 description Ethernet Port 4
 no cdp enable
!
interface Vlan1
 description Connected To LAN$FW_INSIDE$
 ip address 10.X.X.1 255.XXX.XXX.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Dialer0
 description Connected To Internet$FW_OUTSIDE$
 ip address 62.X.XX.XX 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname XXXX@XXXX.GR
 ppp chap password 7 XXXXXXX
 ppp pap sent-username XXXX@XXXX.GR password 7 XXXXXXXXX
!
router rip
 passive-interface Dialer0
 network 10.X.0.X
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.X.0.X 255.255.255.0 Tunnel0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 150 interface Dialer0 overload
ip nat inside source static tcp 10.X.X.254 4777 interface Dialer0 4777
ip nat inside source static tcp 10.X.X.254 110 interface Dialer0 110
ip nat inside source static tcp 10.X.X.254 25 interface Dialer0 25
ip nat inside source static tcp 10.X.X.254 4899 interface Dialer0 4899
ip nat inside source static tcp 10.X.X.254 53 interface Dialer0 53
ip nat inside source static tcp 10.X.X.252 80 interface Dialer0 80
ip nat inside source static tcp 10.X.X.252 8080 interface Dialer0 8080
ip nat inside source static tcp 10.X.X.252 443 interface Dialer0 443
ip nat inside source static tcp 10.X.X.252 8888 interface Dialer0 8888
ip nat inside source static tcp 10.X.X.252 990 interface Dialer0 990
ip nat inside source static tcp 10.X.X.252 989 interface Dialer0 989
!
access-list 100 remark SDM_ACL Category=20
access-list 100 permit gre host 172.X.X.X host 213.XX.XXX.XX
access-list 150 remark LOCAL LAN
access-list 150 remark SDM_ACL Category=2
access-list 150 remark Permit Server_XXXX SMTP
access-list 150 permit ip host 10.X.X.254 any
access-list 150 remark SMTP Block
access-list 150 deny   tcp any eq smtp any eq smtp log
access-list 150 permit ip 10.X.X.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
Unauthorised Access Strictly Prohibited
This Appliance Logs All Incoming And Outgoing Traffic
If You Are An Unauthorised User Disconnect Immediately!! 
-----------------------------------------------------------------------
 
^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output all
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
 transport output telnet ssh
!
scheduler max-task-time 5000
ntp server 207.XX.XXX.XXX source Dialer0 prefer
end

Open in new window

0
Comment
Question by:gloec
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 220 total points
ID: 24411317
What you are trying to do won't work.  I would use an access-list on the VLAN1 interface instead such as:

conf t
ip access-list ext inside-out
permit ip host 10.x.x.254 any   <--allow SMTP server
deny tcp any any eq 25 log   <--deny SMTP from any other host and "log" the attempt
permit ip any any  <--allow all other traffic

int vlan1
ip access-group inside-out in
0
 
LVL 6

Assisted Solution

by:Krisdeep
Krisdeep earned 80 total points
ID: 24411325
You can do two things

1)Setup top talkers in cisco ADSM

2)Download wire shark and what you do is connect your cable from the cisco(ADSL Modem) to the HUB and connect a cable from your switch(Network) to the HUB. Also connect your laptop to the hub and run wire shark to snif the packers. The reason is used a HUB is to braodcast the traffic so i can anaklze it.I have used this methods in clients site that did not have that top talkers funtionality and succesfully tracked down the trojans.

http://www.wireshark.org/
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 200 total points
ID: 24411335
Two problems:

1.  This line:  "access-list 150 deny   tcp any eq smtp any eq smtp log" is incorrect.  It should read "access-list 150 deny   tcp any any eq smtp log"  (You should not be matching against source port.)
2.  The access list 150 does not appear to be applied to an interface:
interface vlan1
ip access-group 150 in
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 
LVL 28

Expert Comment

by:asavener
ID: 24411338
After this, the SMTP traffic should be logged.
0
 
LVL 4

Expert Comment

by:nasirsh
ID: 24422722
Should be like this

access-list 150 remark LOCAL LAN
access-list 150 remark SDM_ACL Category=2
access-list 150 remark Permit Server_XXXX SMTP
access-list 150 permit ip host 10.X.X.254 any
access-list 150 remark SMTP Block
access-list 150 permit ip any any
access-list 150 deny  tcp any any eq smtp  log

Hope this helps.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24422957
Er... no.

In your example, the deny SMTP comes after permit all, so it won't deny anything.
0
 

Author Comment

by:gloec
ID: 24429085
I would like to thank you all for your replies. I made the corrections to the access list and the matches I got for the SMTP is only from the mail server. I also enabled the top talkers feature and I would like to ask where I could find a reference for the protocol numbers I get.
Thank you very much in advance.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 220 total points
ID: 24430738
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question