Solved

Deny port 25 on cisco router except for email server

Posted on 2013-10-25
4
431 Views
Last Modified: 2013-11-30
Hello:

I need to block the smtp port to every computer other than my email server, here's my running config access list:

ip access-list extended INTERNET
 permit ip host 10.5.0.20 any
 permit ip host 10.4.0.24 any
 permit ip host 10.4.0.25 any
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 1 deny   any
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.1.0.0 0.0.0.255
access-list 10 permit 10.2.0.0 0.0.0.255
access-list 10 deny   any
access-list 100 permit ip host 10.0.0.2 any
access-list 100 permit ip host 10.0.0.100 any
access-list 100 permit ip host 10.0.0.213 any
access-list 100 permit ip host 10.0.0.3 any
access-list 100 permit ip host 10.0.0.15 any
access-list 100 permit ip host 10.0.0.146 any
access-list 100 permit ip host 10.0.0.20 any
access-list 100 permit ip host 10.0.0.30 any
access-list 100 permit ip host 10.0.0.36 any
access-list 100 permit ip host 10.0.0.38 any
access-list 100 permit ip host 10.0.0.40 any
access-list 100 permit ip host 10.0.0.42 any
access-list 100 permit ip host 10.0.0.29 any
access-list 100 permit ip host 10.0.0.59 any
access-list 100 permit ip host 10.0.0.60 any
access-list 100 permit ip host 10.0.0.72 any
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit ip host 10.0.0.101 any
access-list 100 permit ip host 10.0.0.131 any
access-list 100 permit ip host 10.0.0.132 any
access-list 100 permit ip host 10.0.0.135 any
access-list 100 permit ip host 10.0.0.136 any
access-list 100 permit ip host 10.0.0.144 any
access-list 100 permit ip host 10.0.0.145 any
access-list 100 permit ip host 10.0.0.167 any
access-list 100 permit ip host 10.0.0.171 any
access-list 100 permit ip host 10.0.0.177 any
access-list 100 permit ip host 10.0.0.195 any
access-list 100 permit ip host 10.0.0.196 any
access-list 100 permit ip host 10.0.0.250 any
access-list 100 permit ip host 10.4.0.21 any
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 deny   ip any any
access-list 101 permit gre host 10.0.254.21 host 10.0.254.22
access-list 110 permit udp any any range 2900 4100
snmp-server community nms2010 RO
!

Thanks in advance
0
Comment
Question by:alshalai
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39601065
I need a little more context.

What host needs to be able to receive SMTP?
What hosts/subnets need to be blocked from receiving SMTP?
What are the source IP addresses that you're trying to block?  Internal and external, or just external?
0
 

Author Comment

by:alshalai
ID: 39601221
Only the host 10.0.0.100 should receive mails from outside, since that host is the email server.

Every other host/subnet has to be blocked.

I'm trying to block the internal net to send emails outside, only the email server which IP is 10.0.0.100 should go out using smtp port.

 The reason is because we're getting listed in CBL blacklist due to some vulnerability exploit.

Thanks.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39601335
OK.

What access list is applied to your inside interface?

If there isn't one, then that's OK, too.
0
 
LVL 7

Accepted Solution

by:
HalldorG earned 500 total points
ID: 39602493
Suggest on inside interface


ip access-list inside-list
   permit tcp host 10.0.0.100 any eq 25
   deny tcp any any eq 25
   permit ip any any


interface <name of inside interface>
ip access-group inside-list in

But of you may want to restrict access to internet more than this but this should give an idea
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question