Block port 25 in Cisco router
I have a router connecting to office from branch
Now branch IP is got black listed.
Now I want to block port 25 except for 2 PCs with outlook
This is the result of show version command
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T7.
I tried the below command but it is not blocking SMTP traffic.
access-list 102 deny TCP 10.1.1.0 255.255.255.0 any eq smtp
Below are the access-list configured
access-list 100 permit ip 10.9.0.0 0.0.0.255 any
access-list 101 permit ip host 10.9.0.200 any
access-list 130 permit ip host 10.9.0.5 any
access-list 130 permit ip host 10.9.0.7 any
access-list 130 permit ip host 10.9.0.9 any
access-list 130 permit ip host 10.9.0.254 any
access-list 130 permit ip host 10.9.0.100 any
access-list 130 permit ip host 10.9.0.32 any
access-list 130 permit ip any any
Now branch IP is got black listed.
Now I want to block port 25 except for 2 PCs with outlook
This is the result of show version command
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T7.
I tried the below command but it is not blocking SMTP traffic.
access-list 102 deny TCP 10.1.1.0 255.255.255.0 any eq smtp
Below are the access-list configured
access-list 100 permit ip 10.9.0.0 0.0.0.255 any
access-list 101 permit ip host 10.9.0.200 any
access-list 130 permit ip host 10.9.0.5 any
access-list 130 permit ip host 10.9.0.7 any
access-list 130 permit ip host 10.9.0.9 any
access-list 130 permit ip host 10.9.0.254 any
access-list 130 permit ip host 10.9.0.100 any
access-list 130 permit ip host 10.9.0.32 any
access-list 130 permit ip any any
please show the whole config
ASKER
Attached the config
config.txt
config.txt
ASKER
I did as per the first post still no luck. here is the access lists after saving
access-list 100 permit ip 10.9.0.0 0.0.0.255 any
access-list 101 permit ip host 10.9.0.200 any
access-list 101 deny tcp 10.9.0.0 0.0.0.255 any eq smtp
access-list 130 permit ip host 10.9.0.5 any
access-list 130 permit ip host 10.9.0.7 any
access-list 130 permit ip host 10.9.0.9 any
access-list 130 permit ip host 10.9.0.254 any
access-list 130 permit ip host 10.9.0.100 any
access-list 130 permit ip host 10.9.0.32 any
access-list 130 permit ip any any
access-list 100 permit ip 10.9.0.0 0.0.0.255 any
access-list 101 permit ip host 10.9.0.200 any
access-list 101 deny tcp 10.9.0.0 0.0.0.255 any eq smtp
access-list 130 permit ip host 10.9.0.5 any
access-list 130 permit ip host 10.9.0.7 any
access-list 130 permit ip host 10.9.0.9 any
access-list 130 permit ip host 10.9.0.254 any
access-list 130 permit ip host 10.9.0.100 any
access-list 130 permit ip host 10.9.0.32 any
access-list 130 permit ip any any
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
external IP address is wrong in that I gave dummy IP so no need to chnage password
I am not sure how to apply these access-lists to vlan1
I am not sure how to apply these access-lists to vlan1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Make sure if you need for a 3rd machine to send SMTP traffic that you add their IP to the top of the list as the ACL is processed top down. That means if the permit is after the deny, it will never hit the permit.
ASKER
ACL is processed top down.
If SMTP permit is after deny it will never allow the SMTP traffic to pass. righ?
Furthermore
Do I need to chnage the password?
There is no public IP in that. All replaced with dummy IP
If SMTP permit is after deny it will never allow the SMTP traffic to pass. righ?
Furthermore
Do I need to chnage the password?
There is no public IP in that. All replaced with dummy IP
ASKER
Thanks and it worked
How to add an IP in future to the group?
Do I have to delete all ACLS and recreate all or any other way to add a single IP
bcoz now when I try to add an IP it is not listed in the order so I recreated ACL from scratch
-->consider applying inbound ACL on the dialer interface.
Please suggest what are the access lists required.
Thanks
How to add an IP in future to the group?
Do I have to delete all ACLS and recreate all or any other way to add a single IP
bcoz now when I try to add an IP it is not listed in the order so I recreated ACL from scratch
-->consider applying inbound ACL on the dialer interface.
Please suggest what are the access lists required.
Thanks
ASKER
Awaiting your reply
ASKER
Appreciate if u guide on how to add an ip in future
https://www.experts-exchange.com/questions/26638563/CISCO-router-block-port-25.html