idealict
asked on
blocking outgoing smtp traffic on cisco 878
Hi Experts,
I face a challenge getting a cisco 878 to block all smtp traffic except for our mailserver.
I've read numerous articles, that point me to the following solution, which is configuring the following ACL's:
Extended IP access list 101
10 permit tcp host 192.168.10.1 any eq smtp log (5187 matches)
20 deny tcp any eq smtp any eq smtp log
30 permit ip any any (373731 matches)
As you see 10 and 30 are actually filtering, but the desired one does not.
I really don't know what could be wrong here, so maybe there is a conlicting setting somewhere in the running config:
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.10.10 255.255.255.0
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address 80.127.150.73 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username bdsl@xs4all.nl password 7 071732184F0515
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.10.1 25 interface Dialer0 25
ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443
ip nat inside source static tcp 192.168.10.1 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.10.1 987 interface Dialer0 987
ip nat inside source list 101 interface Dialer0 overload
!
access-list 22 permit 255.255.255.248 0.0.0.7
access-list 22 permit 194.109.0.0 0.0.3.255
access-list 22 permit 192.168.0.0 0.0.255.255
access-list 101 remark SMTP outgoing
access-list 101 remark CCP_ACL Category=3
access-list 101 remark HVHSRV01
access-list 101 permit tcp host 192.168.10.1 any eq smtp log
access-list 101 remark block outgoing smtp
access-list 101 deny tcp any eq smtp any eq smtp log
access-list 101 remark overig allowed
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
snmp-server community public RO 22
I hope you can help me with this, any help greatly appreciated
rgds
Willem
I face a challenge getting a cisco 878 to block all smtp traffic except for our mailserver.
I've read numerous articles, that point me to the following solution, which is configuring the following ACL's:
Extended IP access list 101
10 permit tcp host 192.168.10.1 any eq smtp log (5187 matches)
20 deny tcp any eq smtp any eq smtp log
30 permit ip any any (373731 matches)
As you see 10 and 30 are actually filtering, but the desired one does not.
I really don't know what could be wrong here, so maybe there is a conlicting setting somewhere in the running config:
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.10.10 255.255.255.0
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address 80.127.150.73 255.255.255.248
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username bdsl@xs4all.nl password 7 071732184F0515
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.10.1 25 interface Dialer0 25
ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443
ip nat inside source static tcp 192.168.10.1 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.10.1 987 interface Dialer0 987
ip nat inside source list 101 interface Dialer0 overload
!
access-list 22 permit 255.255.255.248 0.0.0.7
access-list 22 permit 194.109.0.0 0.0.3.255
access-list 22 permit 192.168.0.0 0.0.255.255
access-list 101 remark SMTP outgoing
access-list 101 remark CCP_ACL Category=3
access-list 101 remark HVHSRV01
access-list 101 permit tcp host 192.168.10.1 any eq smtp log
access-list 101 remark block outgoing smtp
access-list 101 deny tcp any eq smtp any eq smtp log
access-list 101 remark overig allowed
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
snmp-server community public RO 22
I hope you can help me with this, any help greatly appreciated
rgds
Willem
remove the access list from vlan 1 and apply it on dialer 0 out
Make the second line:
Deny TCP any any eq smtp log
That should do the trick.
Deny TCP any any eq smtp log
That should do the trick.
ASKER
Hi MAG03
Thnx for the quick reaction; I changed the lACL to the dialer 0 out
interface Dialer0
ip address 80.127.150.73 255.255.255.248
ip access-group 101 out
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
tested it by opening a telnet session to an external smtp server (smtp.xs4all.nl): still gets connected...
the other rules still seem to be working:
Standard IP access list 22
10 permit 255.255.255.248, wildcard bits 0.0.0.7
20 permit 194.109.0.0, wildcard bits 0.0.3.255
30 permit 192.168.0.0, wildcard bits 0.0.255.255 (58 matches)
Extended IP access list 101
10 permit tcp host 192.168.10.1 any eq smtp log (2 matches)
20 deny tcp any eq smtp any eq smtp log
30 permit ip any any (5362 matches)
Thnx for the quick reaction; I changed the lACL to the dialer 0 out
interface Dialer0
ip address 80.127.150.73 255.255.255.248
ip access-group 101 out
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
tested it by opening a telnet session to an external smtp server (smtp.xs4all.nl): still gets connected...
the other rules still seem to be working:
Standard IP access list 22
10 permit 255.255.255.248, wildcard bits 0.0.0.7
20 permit 194.109.0.0, wildcard bits 0.0.3.255
30 permit 192.168.0.0, wildcard bits 0.0.255.255 (58 matches)
Extended IP access list 101
10 permit tcp host 192.168.10.1 any eq smtp log (2 matches)
20 deny tcp any eq smtp any eq smtp log
30 permit ip any any (5362 matches)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Should have posted earlier....
ASKER
erniebeek,
that did the trick, thanks a million! Livesaver...
Rgds
Willem
that did the trick, thanks a million! Livesaver...
Rgds
Willem
Glad I could help :)
And thx for the points.
And thx for the points.
ASKER
well deserved