Block port 25 in Cisco router

I have a router connecting to office from branch
Now branch IP is got black listed.
Now I want to block port 25 except for 2 PCs with outlook

This is the result of show version command
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T7.

I tried the below command but it is not blocking  SMTP traffic.

access-list 102 deny TCP 10.1.1.0 255.255.255.0 any  eq smtp

Below are the access-list configured
access-list 100 permit ip 10.9.0.0 0.0.0.255 any
access-list 101 permit ip host 10.9.0.200 any
access-list 130 permit ip host 10.9.0.5 any
access-list 130 permit ip host 10.9.0.7 any
access-list 130 permit ip host 10.9.0.9 any
access-list 130 permit ip host 10.9.0.254 any
access-list 130 permit ip host 10.9.0.100 any
access-list 130 permit ip host 10.9.0.32 any
access-list 130 permit ip any any
LVL 30
MAS (MVE)EE Solution Guide - Technical Dept HeadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas GrassiSystems AdministratorCommented:
0
Istvan KalmarHead of IT Security Division Commented:
please show the whole config
0
MAS (MVE)EE Solution Guide - Technical Dept HeadAuthor Commented:
Attached the config
config.txt
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

MAS (MVE)EE Solution Guide - Technical Dept HeadAuthor Commented:
I did as per the first post still no luck. here is the access lists after saving

access-list 100 permit ip 10.9.0.0 0.0.0.255 any
access-list 101 permit ip host 10.9.0.200 any
access-list 101 deny   tcp 10.9.0.0 0.0.0.255 any eq smtp
access-list 130 permit ip host 10.9.0.5 any
access-list 130 permit ip host 10.9.0.7 any
access-list 130 permit ip host 10.9.0.9 any
access-list 130 permit ip host 10.9.0.254 any
access-list 130 permit ip host 10.9.0.100 any
access-list 130 permit ip host 10.9.0.32 any
access-list 130 permit ip any any
0
mannyfernandezCommented:
First and foremost,  change all passwords.

Second you want to do the following:

Acccess-list 102 permit tcp host x.x.x.x any eq 25
Access-list 102 permit tcp h y.y.y.y any eq 25
Access-list 102 deny tcp any any eq 25
Access-list 102 permit ip any any

Apply this access-list to the inbound direction on vlan 1
0
MAS (MVE)EE Solution Guide - Technical Dept HeadAuthor Commented:
external IP address is wrong in that I gave dummy IP so no need to chnage password


I am not sure how to apply these access-lists to vlan1
0
mannyfernandezCommented:
interface Vlan1
 ip access-group 102 in


Without this last part, the ACL is not assigned to any interface.

Change all your passwords including the PSK for the VPNs.  You should never post those.

Also :

service password-encryption
username something-else priv 15 secret PASSWORD-OF-YOUR-CHOICE
no username nscit privilege 15 password 0 NasserAdmin
no username cisco password 0 cisco

consider applying inbound ACL on the dialer interface.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mannyfernandezCommented:
Make sure if you need for a 3rd machine to send SMTP traffic that you add their IP to the top of the list as the ACL is processed top down.  That means if the permit is after the deny, it will never hit the permit.
0
MAS (MVE)EE Solution Guide - Technical Dept HeadAuthor Commented:
ACL is processed top down.  
If SMTP permit is after deny it will never allow the SMTP traffic to pass. righ?

Furthermore
Do I need to chnage the password?
There is no public IP in that. All replaced with dummy IP
0
MAS (MVE)EE Solution Guide - Technical Dept HeadAuthor Commented:
Thanks and it worked

How to add an IP in future to the group?

Do I have to delete all ACLS and recreate all or any other way to add a single IP
bcoz now when I try to add an IP it is not listed in the order so I recreated ACL from scratch


-->consider applying inbound ACL on the dialer interface.
Please suggest what are the access lists required.

Thanks
0
MAS (MVE)EE Solution Guide - Technical Dept HeadAuthor Commented:
Awaiting your reply
0
MAS (MVE)EE Solution Guide - Technical Dept HeadAuthor Commented:
Appreciate if u guide on how to add an ip in future
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.