Solved

CISCO router block port 25

Posted on 2010-11-25
26
2,268 Views
Last Modified: 2012-05-10
Experience: I got my CCENT along while back and never used it since, now i need it I remember the basics but not the specifics

Problem: I have a Cisco Router (Version info/config below) I need to allow port 25 from the server and block from everywhere else, if possible log 25 to figure out who is sending out.
Can someone provide me command by command (I have telnet in with enable mode access)

INFO:
Server is 10.0.0.250 and 10.0.0.3
Network is 10.0.0.0/24
Computer connect to switch which connects to router via 1 port


===================

ROUTER#show version
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(24)T2,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 20-Oct-09 04:56 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

ROUTER uptime is 1 hour, 46 minutes
System returned to ROM by power-on
System image file is "flash:c870-advipservicesk9-mz.124-24.T2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memo
ry.
Processor board ID FCZ140692PZ
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

==========================

==========================
ROUTER#show run
Building configuration...

Current configuration : 2667 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65536
enable secret 5 $1$WA.x$b1kOqYkQZK7R2x6ethUCn0
!
no aaa new-model
clock timezone GMT 0
regexp optimize
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.30 192.168.0.254
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Dialer0
ip domain name ************************************
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin password 7 ************************
!
!
!
archive
 log config
  hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 65535
ip tcp queuemax 50
ip tcp path-mtu-discovery
ip tftp source-interface Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Dialer0
ip ssh version 2
!
buffers tune automatic
!
!
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description :x=LAN:
 ip address 10.0.0.254 255.255.255.0
 no ip proxy-arp
 ip mtu 1426
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1386
 hold-queue 100 out
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname ****************************************
 ppp chap password 7 ***************************************
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT-POOL interface Dialer0 overload
ip nat inside source static tcp 10.0.0.3 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.3 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.3 25 interface Dialer0 25
ip nat inside source static tcp 10.0.0.3 491 interface Dialer0 491
!
ip access-list extended NAT-POOL
 permit ip 10.0.0.0 0.0.0.255 any
!
no logging trap
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
 exec-timeout 30 0
 password 7 ********************************
line vty 0 4
 exec-timeout 0 0
 no login
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp source-interface Dialer0
end
=================================

Additional Problem:

line vty 0 4
 exec-timeout 0 0
 no login  -   as far as a i remember i just have to change this to 'login' where do i set username and password?
0
Comment
Question by:ManicD
  • 10
  • 9
  • 6
  • +1
26 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34212211
>Experience: I got my CCENT along while back and never used it since, now i need it I remember the basics but not the specifics

Don't sweat it. ACL's aren't covered in the CCENT cert. :-)

>Problem: I have a Cisco Router (Version info/config below) I need to allow port 25 from the server and block from everywhere else, if possible log 25 to figure out who is sending out.

I don't know if I follow you, but this should give you a start:

config t
access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25 log
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25 log
int vlan 1
 ip access-group 101 in
end

With this ACL, the only traffic that will get off the 10.0.0.0/24 network is SMTP traffic from the two addresses. NOTHING else will be able to leave that network. This seems a little extreme to me, but that's what it sounds like you want.

> no login  -   as far as a i remember i just have to change this to 'login' where do i set username and password?

If you want to do a username/password pair, you would create them in global config:

username david password bacon
line vty 0 4
 login local

Or you can simply put a password on the vty line

line vty 0 4
 password automobile
 login

0
 
LVL 7

Author Comment

by:ManicD
ID: 34212245
Apologies I didn't explain myself, after port 25 I do want all other ports to function normally

0
 
LVL 6

Expert Comment

by:djcapone
ID: 34212254
This depends on whether you actually mean allowing port 25 FROM the server (server can send mail) or you actually mean TO the server (outside systems can connect to deliver mail).

If you mean the former:

ip access-list extended allow_smtp
permit tcp host 10.0.0.3 any eq 25
permit tcp host 10.0.0.250 any eq 25
deny tcp any any eq 25 log
permit ip any any  <---- this is needed to prevent the implict deny any any from blocking all traffic

interface Vlan1
ip access-group allow_smtp  in

if you mean the latter, you will not be able to allow access to both servers without an additional public IP address.

your static nat translation and the lack of an ACL should presently be allowing connections from the outside to reach the 10.0.0.3 server on port 25 via the interface IP address.
0
 
LVL 8

Expert Comment

by:TheMak
ID: 34212271
you need to setup access list for only allowing port 25 from server and apply it to the dialer interface

login is enough but if you want password for enable mode then you need to configure under VTY 0 4

password ? (you will see all commands)

or without enable mode you already have username and paasword which you use in cosole,

username admin password 7 ************************
0
 
LVL 7

Author Comment

by:ManicD
ID: 34212287
yes the server is exchange so must send and receive, (this is already setup, see running config) but nobody else on site should send or receive port 25
server and all computers need to send/receive all ports apart from 25

Then I need to figure out who is sending the spam to dis-infect the computer.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 34212295
>Apologies I didn't explain myself, after port 25 I do want all other ports to function normally

What about all the other devices? Assuming you want those to work, the the ACL would look like this:

access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any
0
 
LVL 8

Expert Comment

by:TheMak
ID: 34212329
you can use Exchange 2007 features for Anti-Spam tuning and monitoring as you will see lots of IP's on the router log hitting,

http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/thread/bca379ee-3c14-4c2f-a0a6-daba7b172899/
0
 
LVL 7

Author Comment

by:ManicD
ID: 34212352
config t

access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any

int vlan 1
 ip access-group 101 in
end





Also, how do i veiw the logging for the blocks? and how do i manage it, set max space log files can use etc.....
bear in mind i only need to log and view logs very occationally..
0
 
LVL 8

Expert Comment

by:TheMak
ID: 34212369
to view logs,
show log

to make changes to loggin buffer size user,

logging ?
logging buffered 16384

to know some basic,
http://networking.ringofsaturn.com/Cisco/ciscocommandguide.php
0
 
LVL 8

Expert Comment

by:TheMak
ID: 34212390

Get to know your logging options in the Cisco IOS

http://articles.techrepublic.com.com/5100-10878_11-6084442.html
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34212395
The log messages will be displayed on the console (unless that's been disabled).

You can also view them with a "show log".

Since the reason for logging is to identify an offending machine, I don't think you need to worry about increasing the log size.

Here's Cisco's ACL logging paper.

http://www.cisco.com/web/about/security/intelligence/acl-logging.html
0
 
LVL 7

Author Comment

by:ManicD
ID: 34212396
Just looked at and got concerned over

int vlan 1
 ip access-group 101 in

Is the direction of IN correct or should it be OUT.....

I want to stop my network sending out on port 25

Just double checking....

0
 
LVL 8

Expert Comment

by:TheMak
ID: 34212414
it should be out if you want to block sending from your network..

"Then I need to figure out who is sending the spam to dis-infect the computer."
you want to figure out your own network computers sending out spam?

regards
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 50

Expert Comment

by:Don Johnston
ID: 34212415
Traffic coming from the 10.0.0.0/24 network will have to enter the VLAN 1 interface in order to go anywhere. So "in" would be checking that traffic.

Now if you wanted to check traffic going TO the 10.0.0.0/24 network, you could use "out" on the VLAN 1 interface.

Of course, you could check the traffic on the Dialer0 interface instead.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34212435
>it should be out if you want to block sending from your network..

The direction of the ACL is dependent on the interface it's applied to.

It would be outbound if it was applied to the dialer0 interface.
0
 
LVL 7

Author Comment

by:ManicD
ID: 34212439
DonJ, I would feel more confident working with the dialer interface, so just to check then It would be traffic heading out the dialer0 interface??????

Commands would be:


config t

access-list 101 permit tcp 10.0.0.3 0.0.0.0 any eq 25
access-list 101 permit tcp 10.0.0.250 0.0.0.0 any eq 25
access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any

int dialer0
 ip access-group 101 out
end


0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34212461
Correct.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34212469
And actually, you can accomplish the same result with the following ACL:

access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq 25 log
access-list 101 permit ip any any

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34212472
Please disregard the last post.
0
 
LVL 7

Author Comment

by:ManicD
ID: 34212503
all done, but i can still run

telnet smtp.btconnect.com 25

from a computer on 10.0.0.69

======================

ROUTER#show run
Building configuration...

Current configuration : 2896 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 65536
enable secret 5 $1$WA.x$b1kOqYkQZK7R2x6ethUCn0
!
no aaa new-model
clock timezone GMT 0
regexp optimize
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.30 192.168.0.254
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Dialer0
ip domain name ***********************************
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin password 7 *********************************
!
!
!
archive
 log config
  hidekeys
!
!
ip tcp selective-ack
ip tcp window-size 65535
ip tcp queuemax 50
ip tcp path-mtu-discovery
ip tftp source-interface Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Dialer0
ip ssh version 2
!
buffers tune automatic
!
!
interface ATM0
 no ip address
 load-interval 30
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description :x=LAN:
 ip address 10.0.0.254 255.255.255.0
 no ip proxy-arp
 ip mtu 1426
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1386
 hold-queue 100 out
!
interface Dialer0
 ip address negotiated
 ip access-group 101 out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 load-interval 30
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname *******************
 ppp chap password 7 ********************
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list NAT-POOL interface Dialer0 overload
ip nat inside source static tcp 10.0.0.3 80 interface Dialer0 80
ip nat inside source static tcp 10.0.0.3 443 interface Dialer0 443
ip nat inside source static tcp 10.0.0.3 25 interface Dialer0 25
ip nat inside source static tcp 10.0.0.3 491 interface Dialer0 491
!
ip access-list extended NAT-POOL
 permit ip 10.0.0.0 0.0.0.255 any
!
no logging trap
access-list 101 permit tcp host 10.0.0.250 any eq smtp
access-list 101 permit tcp host 10.0.0.3 any eq smtp
access-list 101 deny   tcp 10.0.0.0 0.0.0.255 any eq smtp log
access-list 101 permit ip any any
no cdp run

!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
 exec-timeout 30 0
 password 7 ********************************
line vty 0 4
 exec-timeout 0 0
 no login
 transport input telnet ssh
!
scheduler max-task-time 5000
sntp source-interface Dialer0
end

====================





0
 
LVL 7

Author Comment

by:ManicD
ID: 34212509
Should

access-list 101 deny tcp 10.0.0.0 0.0.0.255 any eq smtp log


be

access-list 101 deny tcp 10.0.0.0 255.0.0.0 any eq smtp log


????????????
0
 
LVL 8

Expert Comment

by:TheMak
ID: 34212544
you applied that on external interface so the traffic will work internally unless you apply that on VLAN and wild cards are used in this way 10.0.0.0 0.0.0.255 not 10.0.0.0 255.0.0.0.

regards,
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34212658
That's why you should apply it to the VLAN 1 interface. You're doing NAT. So the source address is being changed.

0
 
LVL 7

Author Comment

by:ManicD
ID: 34212747
Fantastic Help!!

Have a x-mas card and 500 well deserved expert points!!!

WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW

WW         ___ __     ____      ___    ___   _   _          WW

WW        |   V  \   / _  )    / __|  / __| | | | |         WW

WW        | /\ /\ | ( (/ /_   | /    | /    \ \_| |         WW

WW        |_||_||_|  \_____|  |_|    |_|     \__  |         WW

WW                                              | |         WW

WW                          _.-"""-.          _/ /          WW

WW                        _/_______ `.       |__/           WW

WW                       / _______ \  \                     WW

WW                       \/,-. ,-.\/   \                    WW

WW                       ()>=   =<()`._ \_                  WW

WW                     ,-(.--(_)--.)`-.`(_)                 WW

WW                   ,'  /.-'\_/`-.\   `.                   WW

WW                  /   /    `-'    \    \                  WW

WW                ,'    \           /     `.                WW

WW               /     _ `.       ,'  _     \               WW

WW              /     _/   `-._.-'    \_     \              WW

WW             /_______|     -|O      |_______\             WW

WW            {________}______|_______{________}            WW

WW            ,'   _ \(_____[|_=]______)  / _   `.          WW

WW           /    / `'--------------------`' \    \         WW

WW           `---'  |_____________________|   `---'         WW

WW                    |_____|_____|_____|                   WW

WW                    |__|_____|_____|__|                   WW

WW        _           |_____|_____|_____|  hjw              WW

WW       | |           _                                    WW

WW       | |          (_)        _                          WW

WW  ___  | |__    ___  _   ___  | |_  ___  _    ____   ___  WW

WW /  _| |  _ \  / __|| | / __| |  _||   V  \  / _  | / __| WW

WW(  (_  | | \ || /   | | \__ \ | |  | /\ /\ |( (_| | \__ \ WW

WW \___| |_| |_||_|   |_| |___/ |_|  |_||_||_| \____| |___/ WW

WW                                                          WW

WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW

Open in new window

0
 
LVL 7

Author Closing Comment

by:ManicD
ID: 34212761
:-)
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 34212804
:-)
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now