Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Deny port 25 on cisco router except for email server

Posted on 2013-10-25
4
Medium Priority
?
438 Views
Last Modified: 2013-11-30
Hello:

I need to block the smtp port to every computer other than my email server, here's my running config access list:

ip access-list extended INTERNET
 permit ip host 10.5.0.20 any
 permit ip host 10.4.0.24 any
 permit ip host 10.4.0.25 any
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 1 deny   any
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.1.0.0 0.0.0.255
access-list 10 permit 10.2.0.0 0.0.0.255
access-list 10 deny   any
access-list 100 permit ip host 10.0.0.2 any
access-list 100 permit ip host 10.0.0.100 any
access-list 100 permit ip host 10.0.0.213 any
access-list 100 permit ip host 10.0.0.3 any
access-list 100 permit ip host 10.0.0.15 any
access-list 100 permit ip host 10.0.0.146 any
access-list 100 permit ip host 10.0.0.20 any
access-list 100 permit ip host 10.0.0.30 any
access-list 100 permit ip host 10.0.0.36 any
access-list 100 permit ip host 10.0.0.38 any
access-list 100 permit ip host 10.0.0.40 any
access-list 100 permit ip host 10.0.0.42 any
access-list 100 permit ip host 10.0.0.29 any
access-list 100 permit ip host 10.0.0.59 any
access-list 100 permit ip host 10.0.0.60 any
access-list 100 permit ip host 10.0.0.72 any
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit ip host 10.0.0.101 any
access-list 100 permit ip host 10.0.0.131 any
access-list 100 permit ip host 10.0.0.132 any
access-list 100 permit ip host 10.0.0.135 any
access-list 100 permit ip host 10.0.0.136 any
access-list 100 permit ip host 10.0.0.144 any
access-list 100 permit ip host 10.0.0.145 any
access-list 100 permit ip host 10.0.0.167 any
access-list 100 permit ip host 10.0.0.171 any
access-list 100 permit ip host 10.0.0.177 any
access-list 100 permit ip host 10.0.0.195 any
access-list 100 permit ip host 10.0.0.196 any
access-list 100 permit ip host 10.0.0.250 any
access-list 100 permit ip host 10.4.0.21 any
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 deny   ip any any
access-list 101 permit gre host 10.0.254.21 host 10.0.254.22
access-list 110 permit udp any any range 2900 4100
snmp-server community nms2010 RO
!

Thanks in advance
0
Comment
Question by:alshalai
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39601065
I need a little more context.

What host needs to be able to receive SMTP?
What hosts/subnets need to be blocked from receiving SMTP?
What are the source IP addresses that you're trying to block?  Internal and external, or just external?
0
 

Author Comment

by:alshalai
ID: 39601221
Only the host 10.0.0.100 should receive mails from outside, since that host is the email server.

Every other host/subnet has to be blocked.

I'm trying to block the internal net to send emails outside, only the email server which IP is 10.0.0.100 should go out using smtp port.

 The reason is because we're getting listed in CBL blacklist due to some vulnerability exploit.

Thanks.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39601335
OK.

What access list is applied to your inside interface?

If there isn't one, then that's OK, too.
0
 
LVL 7

Accepted Solution

by:
HalldorG earned 1500 total points
ID: 39602493
Suggest on inside interface


ip access-list inside-list
   permit tcp host 10.0.0.100 any eq 25
   deny tcp any any eq 25
   permit ip any any


interface <name of inside interface>
ip access-group inside-list in

But of you may want to restrict access to internet more than this but this should give an idea
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question