?
Solved

Deny port 25 on cisco router except for email server

Posted on 2013-10-25
4
Medium Priority
?
442 Views
Last Modified: 2013-11-30
Hello:

I need to block the smtp port to every computer other than my email server, here's my running config access list:

ip access-list extended INTERNET
 permit ip host 10.5.0.20 any
 permit ip host 10.4.0.24 any
 permit ip host 10.4.0.25 any
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 1 deny   any
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 10 permit 10.1.0.0 0.0.0.255
access-list 10 permit 10.2.0.0 0.0.0.255
access-list 10 deny   any
access-list 100 permit ip host 10.0.0.2 any
access-list 100 permit ip host 10.0.0.100 any
access-list 100 permit ip host 10.0.0.213 any
access-list 100 permit ip host 10.0.0.3 any
access-list 100 permit ip host 10.0.0.15 any
access-list 100 permit ip host 10.0.0.146 any
access-list 100 permit ip host 10.0.0.20 any
access-list 100 permit ip host 10.0.0.30 any
access-list 100 permit ip host 10.0.0.36 any
access-list 100 permit ip host 10.0.0.38 any
access-list 100 permit ip host 10.0.0.40 any
access-list 100 permit ip host 10.0.0.42 any
access-list 100 permit ip host 10.0.0.29 any
access-list 100 permit ip host 10.0.0.59 any
access-list 100 permit ip host 10.0.0.60 any
access-list 100 permit ip host 10.0.0.72 any
access-list 100 permit ip 10.1.0.0 0.0.0.255 any
access-list 100 permit ip host 10.0.0.101 any
access-list 100 permit ip host 10.0.0.131 any
access-list 100 permit ip host 10.0.0.132 any
access-list 100 permit ip host 10.0.0.135 any
access-list 100 permit ip host 10.0.0.136 any
access-list 100 permit ip host 10.0.0.144 any
access-list 100 permit ip host 10.0.0.145 any
access-list 100 permit ip host 10.0.0.167 any
access-list 100 permit ip host 10.0.0.171 any
access-list 100 permit ip host 10.0.0.177 any
access-list 100 permit ip host 10.0.0.195 any
access-list 100 permit ip host 10.0.0.196 any
access-list 100 permit ip host 10.0.0.250 any
access-list 100 permit ip host 10.4.0.21 any
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.18.58 eq 7002
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 permit udp 10.0.0.0 0.255.255.255 host 201.217.55.50 eq 5900
access-list 100 deny   ip any any
access-list 101 permit gre host 10.0.254.21 host 10.0.254.22
access-list 110 permit udp any any range 2900 4100
snmp-server community nms2010 RO
!

Thanks in advance
0
Comment
Question by:alshalai
  • 2
4 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39601065
I need a little more context.

What host needs to be able to receive SMTP?
What hosts/subnets need to be blocked from receiving SMTP?
What are the source IP addresses that you're trying to block?  Internal and external, or just external?
0
 

Author Comment

by:alshalai
ID: 39601221
Only the host 10.0.0.100 should receive mails from outside, since that host is the email server.

Every other host/subnet has to be blocked.

I'm trying to block the internal net to send emails outside, only the email server which IP is 10.0.0.100 should go out using smtp port.

 The reason is because we're getting listed in CBL blacklist due to some vulnerability exploit.

Thanks.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39601335
OK.

What access list is applied to your inside interface?

If there isn't one, then that's OK, too.
0
 
LVL 7

Accepted Solution

by:
HalldorG earned 1500 total points
ID: 39602493
Suggest on inside interface


ip access-list inside-list
   permit tcp host 10.0.0.100 any eq 25
   deny tcp any any eq 25
   permit ip any any


interface <name of inside interface>
ip access-group inside-list in

But of you may want to restrict access to internet more than this but this should give an idea
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question