Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Deny port 25 on cisco router except for email server

Posted on 2013-10-25
4
Medium Priority
?
440 Views
Last Modified: 2013-11-30
Hello:

I need to block the smtp port to every computer other than my email server, here's my running config access list:

ip access-list extended INTERNET
 permit ip host 10.5.0.20 any
 permit ip host 10.4.0.24 any
 permit ip host 10.4.0.25 any
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 1 deny   any
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.1.0.0 0.0.0.255
access-list 10 permit 10.2.0.0 0.0.0.255
access-list 10 deny   any
access-list 100 permit ip host 10.0.0.2 any
access-list 100 permit ip host 10.0.0.100 any
access-list 100 permit ip host 10.0.0.213 any
access-list 100 permit ip host 10.0.0.3 any
access-list 100 permit ip host 10.0.0.15 any
access-list 100 permit ip host 10.0.0.146 any
access-list 100 permit ip host 10.0.0.20 any
access-list 100 permit ip host 10.0.0.30 any
access-list 100 permit ip host 10.0.0.36 any
access-list 100 permit ip host 10.0.0.38 any
access-list 100 permit ip host 10.0.0.40 any
access-list 100 permit ip host 10.0.0.42 any
access-list 100 permit ip host 10.0.0.29 any
access-list 100 permit ip host 10.0.0.59 any
access-list 100 permit ip host 10.0.0.60 any
access-list 100 permit ip host 10.0.0.72 any
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit ip host 10.0.0.101 any
access-list 100 permit ip host 10.0.0.131 any
access-list 100 permit ip host 10.0.0.132 any
access-list 100 permit ip host 10.0.0.135 any
access-list 100 permit ip host 10.0.0.136 any
access-list 100 permit ip host 10.0.0.144 any
access-list 100 permit ip host 10.0.0.145 any
access-list 100 permit ip host 10.0.0.167 any
access-list 100 permit ip host 10.0.0.171 any
access-list 100 permit ip host 10.0.0.177 any
access-list 100 permit ip host 10.0.0.195 any
access-list 100 permit ip host 10.0.0.196 any
access-list 100 permit ip host 10.0.0.250 any
access-list 100 permit ip host 10.4.0.21 any
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 deny   ip any any
access-list 101 permit gre host 10.0.254.21 host 10.0.254.22
access-list 110 permit udp any any range 2900 4100
snmp-server community nms2010 RO
!

Thanks in advance
0
Comment
Question by:alshalai
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39601065
I need a little more context.

What host needs to be able to receive SMTP?
What hosts/subnets need to be blocked from receiving SMTP?
What are the source IP addresses that you're trying to block?  Internal and external, or just external?
0
 

Author Comment

by:alshalai
ID: 39601221
Only the host 10.0.0.100 should receive mails from outside, since that host is the email server.

Every other host/subnet has to be blocked.

I'm trying to block the internal net to send emails outside, only the email server which IP is 10.0.0.100 should go out using smtp port.

 The reason is because we're getting listed in CBL blacklist due to some vulnerability exploit.

Thanks.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39601335
OK.

What access list is applied to your inside interface?

If there isn't one, then that's OK, too.
0
 
LVL 7

Accepted Solution

by:
HalldorG earned 1500 total points
ID: 39602493
Suggest on inside interface


ip access-list inside-list
   permit tcp host 10.0.0.100 any eq 25
   deny tcp any any eq 25
   permit ip any any


interface <name of inside interface>
ip access-group inside-list in

But of you may want to restrict access to internet more than this but this should give an idea
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question