Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 188
  • Last Modified:

How do i restrict access to my mail server to a known source IP

Hi guys, we are using a spam company to filter our mail and provide virus checking. I think I should restrict access to port 25 to the ip of the spam company. However im not sure how to implement this.

Assuming my Spam company will always send mail to me from the IP 210.110.140.203. How do I build a nat rule that only allows traffic from that host?

My current config.

Current configuration : 6817 bytes
!
! Last configuration change at 16:01:02 EAU Fri Aug 29 2014 by root
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
clock timezone EAU 10
!
crypto pki trustpoint TP-self-signed-1152418017
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1152418017
 revocation-check none
 rsakeypair TP-self-signed-1152418017
!
!
crypto pki certificate chain TP-self-signed-1152418017
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313532 34313830 3137301E 170D3032 30363131 31303032
  31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

        quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
!
!
!
username root privilege 15 secret 5 $1$68Jf$2
!
!
!
archive
 log config
  hidekeys
!
!
!
track 10 ip sla 123 reachability
 delay down 10 up 10
!
!
!
interface ATM0
 description --- Bigpond ADSL WAN Connection ---$ES_WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
 pvc 8/35
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description --- Internal LAN ---
 ip address 192.168.200.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 standby 1 ip 192.168.200.3
 standby 1 priority 105
 standby 1 preempt
 standby 1 track 10 decrement 10
!

interface Dialer0
 description --- Bigpond ---
 ip address 110.142.45.16 255.255.255.0
 ip access-group 100 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname melboxxxxxxxxxx
 ppp chap password 0 8xxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1xx.1xx.4x.1x
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 190 interface Dialer0 overload
ip nat inside source static tcp 192.168.200.20 443 interface Dialer0 443
ip nat inside source static tcp 192.168.200.20 51 interface Dialer0 51
ip nat inside source static tcp 192.168.200.20 52 interface Dialer0 52
ip nat inside source static tcp 192.168.200.20 54 interface Dialer0 54
ip nat inside source static tcp 192.168.200.20 25 interface Dialer0 25
ip nat inside source static tcp 192.168.200.24 21 interface Dialer0 1203
ip nat inside source static tcp 192.168.200.20 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.200.20 3390 interface Dialer0 3390
ip nat inside source static tcp 192.168.200.20 1701 interface Dialer0 1701
ip nat inside source static udp 192.168.200.20 500 interface Dialer0 500
ip nat inside source static udp 192.168.200.20 4500 interface Dialer0 4500
ip nat inside source static esp 192.168.200.20 interface Dialer0

!
ip sla 123
 icmp-echo 8.8.8.8
ip sla schedule 123 life forever start-time now
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 190 permit ip 192.168.200.0 0.0.0.255 any
no cdp run

!
!


 --More--

Thanks in advance
0
Michael
Asked:
Michael
  • 3
  • 2
1 Solution
 
AkinsdNetwork AdministratorCommented:
You should first determine what port the company uses to forward mail to you.

If the communication is not on port 25 or 465, then you can block that IP from communicating with your mail server on that port.

I am still trying to determine why you intend to block someone protecting your mail from spam but I guess that's out of this scope.

On the switchport your mail server is connected to, add an acl inbound and deny access to that IP on port 25 and / or 465

You can also block SMTP traffic from the IP on your firewall also, which may be a better option.
0
 
MichaelAuthor Commented:
I think u totally missed the point of my question
0
 
AkinsdNetwork AdministratorCommented:
My apologies

Your question states how do you restrict...... I tried to imagine why you would restrict access from someone protecting you.
I guess you meant how to only permit access from the IP

I will need further clarification.
NAT is not used to block traffic but rather translate traffic. NAT = Port Forwarding in lay man's terms, but there's more to it than that
You will need to configure an ACL to filter traffic.

From your config, you are translating requests to 110.142.45.16 on several ports to the private IP 192.168.200.20
All you need is to modify the existing  access-list 100 inbound on interface dialer0 and permit ip 210.110.140.203 destined for 192.168.200.20.
That depends on if the ACL is an extended ACL. If not, you will have to reconfigure the ACL. Allternatively, you can create an ACL outbound on the inside interface or inbound into VLAN 1.
0
 
MichaelAuthor Commented:
Thanks I think you have got it now.

If i do like you say I fear that will block all inbound traffic on all nat rules to that host. I only want to apply the restriction on the nat rule that allows port 25.
0
 
AkinsdNetwork AdministratorCommented:
The example I gave you allows all traffic from the specified IP.

Eg permit ip host 1.1.1.1 host x.x.x.x

That eliminates the need for multiple statements in your acl
If you want to be more granular, you can permit tcp or udp instead and specify the port numbers as desired
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now