Solved

Deny port 25 on cisco router except for email server

Posted on 2013-10-25
4
416 Views
Last Modified: 2013-11-30
Hello:

I need to block the smtp port to every computer other than my email server, here's my running config access list:

ip access-list extended INTERNET
 permit ip host 10.5.0.20 any
 permit ip host 10.4.0.24 any
 permit ip host 10.4.0.25 any
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 1 deny   any
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.1.0.0 0.0.0.255
access-list 10 permit 10.2.0.0 0.0.0.255
access-list 10 deny   any
access-list 100 permit ip host 10.0.0.2 any
access-list 100 permit ip host 10.0.0.100 any
access-list 100 permit ip host 10.0.0.213 any
access-list 100 permit ip host 10.0.0.3 any
access-list 100 permit ip host 10.0.0.15 any
access-list 100 permit ip host 10.0.0.146 any
access-list 100 permit ip host 10.0.0.20 any
access-list 100 permit ip host 10.0.0.30 any
access-list 100 permit ip host 10.0.0.36 any
access-list 100 permit ip host 10.0.0.38 any
access-list 100 permit ip host 10.0.0.40 any
access-list 100 permit ip host 10.0.0.42 any
access-list 100 permit ip host 10.0.0.29 any
access-list 100 permit ip host 10.0.0.59 any
access-list 100 permit ip host 10.0.0.60 any
access-list 100 permit ip host 10.0.0.72 any
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit ip host 10.0.0.101 any
access-list 100 permit ip host 10.0.0.131 any
access-list 100 permit ip host 10.0.0.132 any
access-list 100 permit ip host 10.0.0.135 any
access-list 100 permit ip host 10.0.0.136 any
access-list 100 permit ip host 10.0.0.144 any
access-list 100 permit ip host 10.0.0.145 any
access-list 100 permit ip host 10.0.0.167 any
access-list 100 permit ip host 10.0.0.171 any
access-list 100 permit ip host 10.0.0.177 any
access-list 100 permit ip host 10.0.0.195 any
access-list 100 permit ip host 10.0.0.196 any
access-list 100 permit ip host 10.0.0.250 any
access-list 100 permit ip host 10.4.0.21 any
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 deny   ip any any
access-list 101 permit gre host 10.0.254.21 host 10.0.254.22
access-list 110 permit udp any any range 2900 4100
snmp-server community nms2010 RO
!

Thanks in advance
0
Comment
Question by:alshalai
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39601065
I need a little more context.

What host needs to be able to receive SMTP?
What hosts/subnets need to be blocked from receiving SMTP?
What are the source IP addresses that you're trying to block?  Internal and external, or just external?
0
 

Author Comment

by:alshalai
ID: 39601221
Only the host 10.0.0.100 should receive mails from outside, since that host is the email server.

Every other host/subnet has to be blocked.

I'm trying to block the internal net to send emails outside, only the email server which IP is 10.0.0.100 should go out using smtp port.

 The reason is because we're getting listed in CBL blacklist due to some vulnerability exploit.

Thanks.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39601335
OK.

What access list is applied to your inside interface?

If there isn't one, then that's OK, too.
0
 
LVL 7

Accepted Solution

by:
HalldorG earned 500 total points
ID: 39602493
Suggest on inside interface


ip access-list inside-list
   permit tcp host 10.0.0.100 any eq 25
   deny tcp any any eq 25
   permit ip any any


interface <name of inside interface>
ip access-group inside-list in

But of you may want to restrict access to internet more than this but this should give an idea
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now