[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2828
  • Last Modified:

CISCO router block port 25

Experience: I got my CCENT along while back and never used it since, now i need it I remember the basics but not the specifics

Problem: I have a Cisco Router (Version info/config below) I need to allow port 25 from the server and block from everywhere else, if possible log 25 to figure out who is sending out.
Can someone provide me command by command (I have telnet in with enable mode access)

INFO:
Server is 10.0.0.250 and 10.0.0.3
Network is 10.0.0.0/24
Computer connect to switch which connects to router via 1 port


===================

ROUTER#show version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T2,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 20-Oct-09 04:56 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

ROUTER uptime is 1 hour, 46 minutes
System returned to ROM by power-on
System image file is "flash:c870-advipservicesk9-mz.124-24.T2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memo
ry.
Processor board ID FCZ140692PZ
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

==========================

==========================
ROUTER#show run
Building configuration...

Current configuration : 2667 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65536
enable secret 5 $1$WA.x$b1kOqYkQZK7R2x6ethUCn0
!
no aaa new-model
clock timezone GMT 0
regexp optimize
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.30 192.168.0.254
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Dialer0
ip domain name ************************************
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin password 7 ************************
!
!
!
archive
 log config
  hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 65535
ip tcp queuemax 50
ip tcp path-mtu-discovery
ip tftp source-interface Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Dialer0
ip ssh version 2
!
buffers tune automatic
!
!
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description :x=LAN:
 ip address 10.0.0.254 255.255.255.0
 no ip proxy-arp
 ip mtu 1426
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1386
 hold-queue 100 out
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname ****************************************
 ppp chap password 7 ***************************************
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT-POOL interface Dialer0 overload
ip nat inside source static tcp 10.0.0.3 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.3 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.3 25 interface Dialer0 25
ip nat inside source static tcp 10.0.0.3 491 interface Dialer0 491
!
ip access-list extended NAT-POOL
 permit ip 10.0.0.0 0.0.0.255 any
!
no logging trap
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
 exec-timeout 30 0
 password 7 ********************************
line vty 0 4
 exec-timeout 0 0
 no login
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp source-interface Dialer0
end
=================================

Additional Problem:

line vty 0 4
 exec-timeout 0 0
 no login  -   as far as a i remember i just have to change this to 'login' where do i set username and password?
0
ManicD
Asked:
ManicD
  • 10
  • 9
  • 6
  • +1
1 Solution
 
Don JohnstonInstructorCommented:
>Experience: I got my CCENT along while back and never used it since, now i need it I remember the basics but not the specifics

Don't sweat it. ACL's aren't covered in the CCENT cert. :-)

>Problem: I have a Cisco Router (Version info/config below) I need to allow port 25 from the server and block from everywhere else, if possible log 25 to figure out who is sending out.

I don't know if I follow you, but this should give you a start:

config t
access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25 log
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25 log
int vlan 1
 ip access-group 101 in
end

With this ACL, the only traffic that will get off the 10.0.0.0/24 network is SMTP traffic from the two addresses. NOTHING else will be able to leave that network. This seems a little extreme to me, but that's what it sounds like you want.

> no login  -   as far as a i remember i just have to change this to 'login' where do i set username and password?

If you want to do a username/password pair, you would create them in global config:

username david password bacon
line vty 0 4
 login local

Or you can simply put a password on the vty line

line vty 0 4
 password automobile
 login

0
 
ManicDAuthor Commented:
Apologies I didn't explain myself, after port 25 I do want all other ports to function normally

0
 
djcaponeCommented:
This depends on whether you actually mean allowing port 25 FROM the server (server can send mail) or you actually mean TO the server (outside systems can connect to deliver mail).

If you mean the former:

ip access-list extended allow_smtp
permit tcp host 10.0.0.3 any eq 25
permit tcp host 10.0.0.250 any eq 25
deny tcp any any eq 25 log
permit ip any any  <---- this is needed to prevent the implict deny any any from blocking all traffic

interface Vlan1
ip access-group allow_smtp  in

if you mean the latter, you will not be able to allow access to both servers without an additional public IP address.

your static nat translation and the lack of an ACL should presently be allowing connections from the outside to reach the 10.0.0.3 server on port 25 via the interface IP address.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
TheMakCommented:
you need to setup access list for only allowing port 25 from server and apply it to the dialer interface

login is enough but if you want password for enable mode then you need to configure under VTY 0 4

password ? (you will see all commands)

or without enable mode you already have username and paasword which you use in cosole,

username admin password 7 ************************
0
 
ManicDAuthor Commented:
yes the server is exchange so must send and receive, (this is already setup, see running config) but nobody else on site should send or receive port 25
server and all computers need to send/receive all ports apart from 25

Then I need to figure out who is sending the spam to dis-infect the computer.
0
 
Don JohnstonInstructorCommented:
>Apologies I didn't explain myself, after port 25 I do want all other ports to function normally

What about all the other devices? Assuming you want those to work, the the ACL would look like this:

access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any
0
 
TheMakCommented:
you can use Exchange 2007 features for Anti-Spam tuning and monitoring as you will see lots of IP's on the router log hitting,

http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/thread/bca379ee-3c14-4c2f-a0a6-daba7b172899/
0
 
ManicDAuthor Commented:
config t

access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any

int vlan 1
 ip access-group 101 in
end





Also, how do i veiw the logging for the blocks? and how do i manage it, set max space log files can use etc.....
bear in mind i only need to log and view logs very occationally..
0
 
TheMakCommented:
to view logs,
show log

to make changes to loggin buffer size user,

logging ?
logging buffered 16384

to know some basic,
http://networking.ringofsaturn.com/Cisco/ciscocommandguide.php
0
 
TheMakCommented:

Get to know your logging options in the Cisco IOS

http://articles.techrepublic.com.com/5100-10878_11-6084442.html
0
 
Don JohnstonInstructorCommented:
The log messages will be displayed on the console (unless that's been disabled).

You can also view them with a "show log".

Since the reason for logging is to identify an offending machine, I don't think you need to worry about increasing the log size.

Here's Cisco's ACL logging paper.

http://www.cisco.com/web/about/security/intelligence/acl-logging.html
0
 
ManicDAuthor Commented:
Just looked at and got concerned over

int vlan 1
 ip access-group 101 in

Is the direction of IN correct or should it be OUT.....

I want to stop my network sending out on port 25

Just double checking....

0
 
TheMakCommented:
it should be out if you want to block sending from your network..

"Then I need to figure out who is sending the spam to dis-infect the computer."
you want to figure out your own network computers sending out spam?

regards
0
 
Don JohnstonInstructorCommented:
Traffic coming from the 10.0.0.0/24 network will have to enter the VLAN 1 interface in order to go anywhere. So "in" would be checking that traffic.

Now if you wanted to check traffic going TO the 10.0.0.0/24 network, you could use "out" on the VLAN 1 interface.

Of course, you could check the traffic on the Dialer0 interface instead.
0
 
Don JohnstonInstructorCommented:
>it should be out if you want to block sending from your network..

The direction of the ACL is dependent on the interface it's applied to.

It would be outbound if it was applied to the dialer0 interface.
0
 
ManicDAuthor Commented:
DonJ, I would feel more confident working with the dialer interface, so just to check then It would be traffic heading out the dialer0 interface??????

Commands would be:


config t

access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any

int dialer0
 ip access-group 101 out
end


0
 
Don JohnstonInstructorCommented:
Correct.
0
 
Don JohnstonInstructorCommented:
And actually, you can accomplish the same result with the following ACL:

access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any

0
 
Don JohnstonInstructorCommented:
Please disregard the last post.
0
 
ManicDAuthor Commented:
all done, but i can still run

telnet smtp.btconnect.com 25

from a computer on 10.0.0.69

======================

ROUTER#show run
Building configuration...

Current configuration : 2896 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65536
enable secret 5 $1$WA.x$b1kOqYkQZK7R2x6ethUCn0
!
no aaa new-model
clock timezone GMT 0
regexp optimize
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.30 192.168.0.254
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Dialer0
ip domain name ***********************************
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin password 7 *********************************
!
!
!
archive
 log config
  hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 65535
ip tcp queuemax 50
ip tcp path-mtu-discovery
ip tftp source-interface Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Dialer0
ip ssh version 2
!
buffers tune automatic
!
!
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description :x=LAN:
 ip address 10.0.0.254 255.255.255.0
 no ip proxy-arp
 ip mtu 1426
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1386
 hold-queue 100 out
!
interface Dialer0
 ip address negotiated
 ip access-group 101 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname *******************
 ppp chap password 7 ********************
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT-POOL interface Dialer0 overload
ip nat inside source static tcp 10.0.0.3 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.3 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.3 25 interface Dialer0 25
ip nat inside source static tcp 10.0.0.3 491 interface Dialer0 491
!
ip access-list extended NAT-POOL
 permit ip 10.0.0.0 0.0.0.255 any
!
no logging trap
access-list 101 permit tcp host 10.0.0.250 any eq smtp
access-list 101 permit tcp host 10.0.0.3 any eq smtp
access-list 101 deny   tcp 10.0.0.0 0.0.0.255 any eq smtp log
access-list 101 permit ip any any
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
 exec-timeout 30 0
 password 7 ********************************
line vty 0 4
 exec-timeout 0 0
 no login
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp source-interface Dialer0
end

====================





0
 
ManicDAuthor Commented:
Should

access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq smtp log


be

access-list 101 deny tcp 10.0.0.0 255.0.0.0 any eq smtp log


????????????
0
 
TheMakCommented:
you applied that on external interface so the traffic will work internally unless you apply that on VLAN and wild cards are used in this way 10.0.0.0 0.0.0.255 not 10.0.0.0 255.0.0.0.

regards,
0
 
Don JohnstonInstructorCommented:
That's why you should apply it to the VLAN 1 interface. You're doing NAT. So the source address is being changed.

0
 
ManicDAuthor Commented:
Fantastic Help!!

Have a x-mas card and 500 well deserved expert points!!!

WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
WW         ___ __     ____      ___    ___   _   _          WW
WW        |   V  \   / _  )    / __|  / __| | | | |         WW
WW        | /\ /\ | ( (/ /_   | /    | /    \ \_| |         WW
WW        |_||_||_|  \_____|  |_|    |_|     \__  |         WW
WW                                              | |         WW
WW                          _.-"""-.          _/ /          WW
WW                        _/_______ `.       |__/           WW
WW                       / _______ \  \                     WW
WW                       \/,-. ,-.\/   \                    WW
WW                       ()>=   =<()`._ \_                  WW
WW                     ,-(.--(_)--.)`-.`(_)                 WW
WW                   ,'  /.-'\_/`-.\   `.                   WW
WW                  /   /    `-'    \    \                  WW
WW                ,'    \           /     `.                WW
WW               /     _ `.       ,'  _     \               WW
WW              /     _/   `-._.-'    \_     \              WW
WW             /_______|     -|O      |_______\             WW
WW            {________}______|_______{________}            WW
WW            ,'   _ \(_____[|_=]______)  / _   `.          WW
WW           /    / `'--------------------`' \    \         WW
WW           `---'  |_____________________|   `---'         WW
WW                    |_____|_____|_____|                   WW
WW                    |__|_____|_____|__|                   WW
WW        _           |_____|_____|_____|  hjw              WW
WW       | |           _                                    WW
WW       | |          (_)        _                          WW
WW  ___  | |__    ___  _   ___  | |_  ___  _    ____   ___  WW
WW /  _| |  _ \  / __|| | / __| |  _||   V  \  / _  | / __| WW
WW(  (_  | | \ || /   | | \__ \ | |  | /\ /\ |( (_| | \__ \ WW
WW \___| |_| |_||_|   |_| |___/ |_|  |_||_||_| \____| |___/ WW
WW                                                          WW
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW

Open in new window

0
 
ManicDAuthor Commented:
:-)
0
 
Don JohnstonInstructorCommented:
:-)
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 10
  • 9
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now