gloec
asked on
Cisco and restricting SMTP access
Dear all,
I am not a Cisco expert and that is why I would like to have your help in order to try to solve a very serious issue I am facing right now.
In one of the companies I support there is a DSL connection using one static IP in order to allow incoming and outgoing access for users and servers to the Internet.
During last week I got a call for some users reporting that they have trouble sending emails to the Internet. During the troubleshooting for this issue I discovered that the specific IP was banned by CBL because it was reported as a SPAM address.
The reason for the ban was a Trojan of which unfortunately I cannot remember its name!
The email server (Windows 2003 Enterprise R2 SP2, Exchange Server 2003) is properly protected with antivirus (MS Forefront) and after a scan I did with SpyBot, Malwarebytes and Microsoft Malicious Software Removal Tools it was clean of any malware or Trojan.
The next step was to scan users workstations and most of them were clear and all malware found was removed.
What I would like to do is to block all internal IPs sending email to the Internet except the one from the email server.
Using SDM and NAT, I blocked or at least I think that I blocked all internal IPs from using port 25 except the one of the email server.
The DSL connection is made using a Cisco 876 with IOS Version: 12.4(11)T1.
I have attached ciscos configuration in order to have a more clear idea on the configuration of my router.
Is there any other way in order to see which computer is trying to send email?
Thank you very much in advance.
Nikos
I am not a Cisco expert and that is why I would like to have your help in order to try to solve a very serious issue I am facing right now.
In one of the companies I support there is a DSL connection using one static IP in order to allow incoming and outgoing access for users and servers to the Internet.
During last week I got a call for some users reporting that they have trouble sending emails to the Internet. During the troubleshooting for this issue I discovered that the specific IP was banned by CBL because it was reported as a SPAM address.
The reason for the ban was a Trojan of which unfortunately I cannot remember its name!
The email server (Windows 2003 Enterprise R2 SP2, Exchange Server 2003) is properly protected with antivirus (MS Forefront) and after a scan I did with SpyBot, Malwarebytes and Microsoft Malicious Software Removal Tools it was clean of any malware or Trojan.
The next step was to scan users workstations and most of them were clear and all malware found was removed.
What I would like to do is to block all internal IPs sending email to the Internet except the one from the email server.
Using SDM and NAT, I blocked or at least I think that I blocked all internal IPs from using port 25 except the one of the email server.
The DSL connection is made using a Cisco 876 with IOS Version: 12.4(11)T1.
I have attached ciscos configuration in order to have a more clear idea on the configuration of my router.
Is there any other way in order to see which computer is trying to send email?
Thank you very much in advance.
Nikos
Current configuration : 6802 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxx.xxxxxxx.gr
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-11.T1.bin
boot-end-marker
!
logging buffered 51200 informational
enable secret 5 $1$7uVj$9hzVed/KrvtkMRRAsBXfG.
!
no aaa new-model
clock timezone GMT+2 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
ip cef
!
!
!
!
ip domain name xxxxxxxxx.gr
ip name-server 10.X.X.248
ip name-server 10.X.X.254
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3225088414
subject-name cn=IOS-Self-Signed-Certificate-3225088414
revocation-check none
rsakeypair TP-self-signed-3225088414
!
crypto pki trustpoint TP-self-signed-1226696483
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1226696483
revocation-check none
rsakeypair TP-self-signed-1226696483
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-3225088414
crypto pki certificate chain TP-self-signed-1226696483
certificate self-signed 01
30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323236 36393634 3833301E 170D3037 30373034 31343436
34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
!
!
username xxx privilege 15 password 7 xxxxxxxxxxx
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xxx.xxx.xxx.xxx
!
!
crypto ipsec transform-set 5POINT-VPN esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel
set peer xxx.xxx.xxx.xxx
set transform-set 5POINT-VPN
match address 100
!
!
!
!
interface Tunnel0
description connection to xxx
ip address 172.X.X.X 255.255.255.0
ip mtu 1500
tunnel source 62.X.XX.XX
tunnel destination 213.XX.XXX.XX
crypto map SDM_CMAP_1
!
interface BRI0
description ISDN Backup Interface
no ip address
encapsulation hdlc
shutdown
no cdp enable
!
interface ATM0
no ip address
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description ATM Virtual Interface
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
description Ethernet Port 1
no cdp enable
!
interface FastEthernet1
description Ethernet Port 2
no cdp enable
!
interface FastEthernet2
description Ethernet Port 3
no cdp enable
!
interface FastEthernet3
description Ethernet Port 4
no cdp enable
!
interface Vlan1
description Connected To LAN$FW_INSIDE$
ip address 10.X.X.1 255.XXX.XXX.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Dialer0
description Connected To Internet$FW_OUTSIDE$
ip address 62.X.XX.XX 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXXX@XXXX.GR
ppp chap password 7 XXXXXXX
ppp pap sent-username XXXX@XXXX.GR password 7 XXXXXXXXX
!
router rip
passive-interface Dialer0
network 10.X.0.X
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.X.0.X 255.255.255.0 Tunnel0 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 150 interface Dialer0 overload
ip nat inside source static tcp 10.X.X.254 4777 interface Dialer0 4777
ip nat inside source static tcp 10.X.X.254 110 interface Dialer0 110
ip nat inside source static tcp 10.X.X.254 25 interface Dialer0 25
ip nat inside source static tcp 10.X.X.254 4899 interface Dialer0 4899
ip nat inside source static tcp 10.X.X.254 53 interface Dialer0 53
ip nat inside source static tcp 10.X.X.252 80 interface Dialer0 80
ip nat inside source static tcp 10.X.X.252 8080 interface Dialer0 8080
ip nat inside source static tcp 10.X.X.252 443 interface Dialer0 443
ip nat inside source static tcp 10.X.X.252 8888 interface Dialer0 8888
ip nat inside source static tcp 10.X.X.252 990 interface Dialer0 990
ip nat inside source static tcp 10.X.X.252 989 interface Dialer0 989
!
access-list 100 remark SDM_ACL Category=20
access-list 100 permit gre host 172.X.X.X host 213.XX.XXX.XX
access-list 150 remark LOCAL LAN
access-list 150 remark SDM_ACL Category=2
access-list 150 remark Permit Server_XXXX SMTP
access-list 150 permit ip host 10.X.X.254 any
access-list 150 remark SMTP Block
access-list 150 deny tcp any eq smtp any eq smtp log
access-list 150 permit ip 10.X.X.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
Unauthorised Access Strictly Prohibited
This Appliance Logs All Incoming And Outgoing Traffic
If You Are An Unauthorised User Disconnect Immediately!!
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
ntp server 207.XX.XXX.XXX source Dialer0 prefer
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
After this, the SMTP traffic should be logged.
Should be like this
access-list 150 remark LOCAL LAN
access-list 150 remark SDM_ACL Category=2
access-list 150 remark Permit Server_XXXX SMTP
access-list 150 permit ip host 10.X.X.254 any
access-list 150 remark SMTP Block
access-list 150 permit ip any any
access-list 150 deny tcp any any eq smtp log
Hope this helps.
access-list 150 remark LOCAL LAN
access-list 150 remark SDM_ACL Category=2
access-list 150 remark Permit Server_XXXX SMTP
access-list 150 permit ip host 10.X.X.254 any
access-list 150 remark SMTP Block
access-list 150 permit ip any any
access-list 150 deny tcp any any eq smtp log
Hope this helps.
Er... no.
In your example, the deny SMTP comes after permit all, so it won't deny anything.
In your example, the deny SMTP comes after permit all, so it won't deny anything.
ASKER
I would like to thank you all for your replies. I made the corrections to the access list and the matches I got for the SMTP is only from the mail server. I also enabled the top talkers feature and I would like to ask where I could find a reference for the protocol numbers I get.
Thank you very much in advance.
Thank you very much in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.