We help IT Professionals succeed at work.

Block port 25 on Cisco Router

KOV_VZW
KOV_VZW asked
on
Hi,

We have a C1841 router and I really need to block all traffic inside -> outside on port 25.
All help is welcome.

Thank you very much.
!
! Last configuration change at 12:38:14 GMT Fri Apr 23 2010 by administrator
! NVRAM config last updated at 11:17:12 GMT Fri Dec 18 2009 by administrator
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname C1800
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-22.T.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable secret 5 $1$WBR/$hymXHpwqLbMkJNMiNY/i3/
enable password xxx
!
no aaa new-model
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4167747676
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4167747676
 revocation-check none
 rsakeypair TP-self-signed-4167747676
!
!
crypto pki certificate chain TP-self-signed-4167747676
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34313637 37343736 3736301E 170D3038 31313034 31333333 
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31363737 
  34373637 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100BB3F B9FB59CA D8E04935 ED779F50 5187D09C 791AC9DD 05504B64 805979B8 
  2688F46C B5C9B977 C0CE40A6 55596B3D 7AB98465 73F2A911 DB77BE8E F3C153EC 
  9FA9AB8F 11A1A43B 88E777BB 9C9E5828 7BA6315E 1AB6B220 15CB0D6E 1C8D0955 
  2675057A DD6BB1AC 1AF9B856 F8A69F14 A27428B7 C5E6F054 BE0314FA ECB5B8B1 
  8D3B0203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D1104 18301682 14433138 30302E79 6F757264 6F6D6169 6E2E636F 6D301F06 
  03551D23 04183016 8014A910 4170C66A 5A1BE999 9600F9FB 211C8AD0 E54E301D 
  0603551D 0E041604 14A91041 70C66A5A 1BE99996 00F9FB21 1C8AD0E5 4E300D06 
  092A8648 86F70D01 01040500 03818100 1F6C403A 27F33A60 176F964D 5AC48736 
  190C509B 272C2886 AFBB47AE 6B809D24 B77438A0 0FA15EA3 0EDBEB51 79F03241 
  C68DDEE3 7A9FCFC8 87FDDF24 8E47C059 9FBF4814 F10CBA44 25AD8698 E8272CBE 
  91E4D326 D1C9D478 D9A209E5 C071DD10 3FD16D06 9845970B 2966B5D8 A5D97180 
  8C1B8380 DFCDFB06 0FB08BFD 4C51F041
  	quit
!
!
username administrator privilege 15 secret 5 $1$mNMi$PuUagD6xlKFB8.mJ57Ddx1
archive
 log config
  hidekeys
! 
!
!
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 192.168.255.98 255.255.255.0
 speed auto
 half-duplex
!
interface FastEthernet0/1
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 shutdown
!
interface FastEthernet0/1/1
 shutdown
!
interface FastEthernet0/1/2
 shutdown
!
interface FastEthernet0/1/3
 shutdown
!
interface ATM0/0/0
 description *** Skynet () ***
 ip address xx.xxx.xxx.xx 255.255.255.192
 ip nat outside
 ip virtual-reassembly
 no atm ilmi-keepalive
 pvc 8/35 
  protocol ip xx.xxx.xx.xx broadcast
  encapsulation aal5snap
 !
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx
ip route xx.xxx.xxx.xx 255.255.255.255 xx.xxx.xxx.xx
ip route 172.16.0.0 255.255.0.0 FastEthernet0/1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
ip nat inside source list 2 interface ATM0/0/0 overload
ip nat inside source static tcp 172.16.11.7 9904 interface ATM0/0/0 4000
ip nat inside source static tcp 172.16.11.4 3389 interface ATM0/0/0 4100
ip nat inside source static tcp 172.16.11.1 9904 interface ATM0/0/0 4200
!
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 2 permit 172.17.0.0 0.0.255.255
!
!
!
!
!
control-plane
!
line con 0
 password vxxx
 login
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Open in new window

Comment
Watch Question

Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
conf t
access-list 125 deny tcp any any eq 25
access-list 125 permit ip any any

int fast 0/1
 access-group 125 in
luc_roySystem Admin

Commented:
use an access list

access-list 125 deny tcp any any eq smtp
access-list 125 permit ip any any
  interface [change to your interface]
   ip access-group 125 in

make sure if you need snmp to make it to your router put it on the outside interface and change the direction of the access list.  If you want it out of your router keep it like above.

just remember in vs out of your router.  Or provide me the interface and if you want it in or out of your router and I will change it.
Head of IT Security Division
Top Expert 2010
Commented:
sorry this need:

conf t
access-list 125 deny tcp any any eq 25
access-list 125 permit ip any any

int fast 0/1
 ip access-group 125 in
luc_roySystem Admin

Commented:
man ikalmar we posted at exactly the same time..... in a gun fight we would both be dead :)
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
yep:)
KOV_VZWSysAdmin

Author

Commented:
Thank you very much
KOV_VZWSysAdmin

Author

Commented:
Sorry luc,

I already awarded the points when I saw yours

Greetings,
Alex
luc_roySystem Admin

Commented:
not a problem.... that's why we are all here.