How do i restrict access to my mail server to a known source IP

Hi guys, we are using a spam company to filter our mail and provide virus checking. I think I should restrict access to port 25 to the ip of the spam company. However im not sure how to implement this.

Assuming my Spam company will always send mail to me from the IP 210.110.140.203. How do I build a nat rule that only allows traffic from that host?

My current config.

Current configuration : 6817 bytes
!
! Last configuration change at 16:01:02 EAU Fri Aug 29 2014 by root
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
clock timezone EAU 10
!
crypto pki trustpoint TP-self-signed-1152418017
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1152418017
 revocation-check none
 rsakeypair TP-self-signed-1152418017
!
!
crypto pki certificate chain TP-self-signed-1152418017
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313532 34313830 3137301E 170D3032 30363131 31303032
  31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

        quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
!
!
username root privilege 15 secret 5 $1$68Jf$2
!
!
!
archive
 log config
  hidekeys
!
!
!
track 10 ip sla 123 reachability
 delay down 10 up 10
!
!
!
interface ATM0
 description --- Bigpond ADSL WAN Connection ---$ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
 pvc 8/35
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description --- Internal LAN ---
 ip address 192.168.200.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 standby 1 ip 192.168.200.3
 standby 1 priority 105
 standby 1 preempt
 standby 1 track 10 decrement 10
!

interface Dialer0
 description --- Bigpond ---
 ip address 110.142.45.16 255.255.255.0
 ip access-group 100 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname melboxxxxxxxxxx
 ppp chap password 0 8xxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1xx.1xx.4x.1x
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 190 interface Dialer0 overload
ip nat inside source static tcp 192.168.200.20 443 interface Dialer0 443
ip nat inside source static tcp 192.168.200.20 51 interface Dialer0 51
ip nat inside source static tcp 192.168.200.20 52 interface Dialer0 52
ip nat inside source static tcp 192.168.200.20 54 interface Dialer0 54
ip nat inside source static tcp 192.168.200.20 25 interface Dialer0 25
ip nat inside source static tcp 192.168.200.24 21 interface Dialer0 1203
ip nat inside source static tcp 192.168.200.20 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.200.20 3390 interface Dialer0 3390
ip nat inside source static tcp 192.168.200.20 1701 interface Dialer0 1701
ip nat inside source static udp 192.168.200.20 500 interface Dialer0 500
ip nat inside source static udp 192.168.200.20 4500 interface Dialer0 4500
ip nat inside source static esp 192.168.200.20 interface Dialer0

!
ip sla 123
 icmp-echo 8.8.8.8
ip sla schedule 123 life forever start-time now
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 190 permit ip 192.168.200.0 0.0.0.255 any
no cdp run

!
!


 --More--

Thanks in advance
LVL 1
MichaelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkinsdNetwork AdministratorCommented:
You should first determine what port the company uses to forward mail to you.

If the communication is not on port 25 or 465, then you can block that IP from communicating with your mail server on that port.

I am still trying to determine why you intend to block someone protecting your mail from spam but I guess that's out of this scope.

On the switchport your mail server is connected to, add an acl inbound and deny access to that IP on port 25 and / or 465

You can also block SMTP traffic from the IP on your firewall also, which may be a better option.
0
MichaelAuthor Commented:
I think u totally missed the point of my question
0
AkinsdNetwork AdministratorCommented:
My apologies

Your question states how do you restrict...... I tried to imagine why you would restrict access from someone protecting you.
I guess you meant how to only permit access from the IP

I will need further clarification.
NAT is not used to block traffic but rather translate traffic. NAT = Port Forwarding in lay man's terms, but there's more to it than that
You will need to configure an ACL to filter traffic.

From your config, you are translating requests to 110.142.45.16 on several ports to the private IP 192.168.200.20
All you need is to modify the existing  access-list 100 inbound on interface dialer0 and permit ip 210.110.140.203 destined for 192.168.200.20.
That depends on if the ACL is an extended ACL. If not, you will have to reconfigure the ACL. Allternatively, you can create an ACL outbound on the inside interface or inbound into VLAN 1.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MichaelAuthor Commented:
Thanks I think you have got it now.

If i do like you say I fear that will block all inbound traffic on all nat rules to that host. I only want to apply the restriction on the nat rule that allows port 25.
0
AkinsdNetwork AdministratorCommented:
The example I gave you allows all traffic from the specified IP.

Eg permit ip host 1.1.1.1 host x.x.x.x

That eliminates the need for multiple statements in your acl
If you want to be more granular, you can permit tcp or udp instead and specify the port numbers as desired
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.