Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
5
Helpful
3
Replies

Denying SMTP Connections

Go to solution
bradlesliect
Level 1
Level 1

‎02-13-2007 10:58 AM - edited ‎03-03-2019 03:44 PM

Hi,

I have a server on my network which is advertised to the internet. I have been seeing SMTP connections from the internet address space do this server. If I want to deny SMPT connections to the server can I do the following

ip access 133 remark block smtp connections

access-list 133 deny any <host IP> eq smtp?

Would this block the connections? Do I have to apply this to the Interface(s) that connect to my ISP?

Thanks to Satish, I now know how to debug the source addresses from the access-list.

Thanks for help.

I do have a PIX firewall at the ISP that provides our prim internet connection and would prefer to stop it there but I am still new to the PIX configuration and would rather for now block in at the router entry points to my network.

Any help would do.

Thanks

Brad

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to bradlesliect

‎02-13-2007 12:28 PM

You would need to apply it only inbound on the interface as the traffic is coming from outside --> inside only. However, if you want to block outbound SMTP as well then the ACE needs to reversed.

access-list 132 deny tcp host eq smtp any

access-list 132 permit ip any any

The 'in' and 'out' keyword used with the 'ip access-group' is viewed from the standpoint of the router itself. Hence, 'in' means traffic coming into the interface and 'out' means traffic leaving the interface. Use a difference ACL #, though not necessary, for inbound and outbound filtering.

HTH

Sundar

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sundar.palaniappan
Level 10
Level 10

‎02-13-2007 11:11 AM

Your approach is correct but your syntax is slightly off. Also, remember there's an implicit deny at the end of any ACL and hence, add an ACE to allow all other IP traffic after the deny statement. Apply the ACL inbound on the interface that connects to the Internet. You need an ACL similar to this one;

access-list 133 deny tcp any host eq smtp

access-list 133 permit ip any any

HTH

Sundar

Go to solution
bradlesliect
Level 1
Level 1
In response to sundar.palaniappan

‎02-13-2007 11:36 AM

Thanks Sundar,

Do I appply it as an

ip access-group 101 in

ip access-group 101 out

?

This won't break anything else?

0 Helpful

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to bradlesliect

‎02-13-2007 12:28 PM

You would need to apply it only inbound on the interface as the traffic is coming from outside --> inside only. However, if you want to block outbound SMTP as well then the ACE needs to reversed.

access-list 132 deny tcp host eq smtp any

access-list 132 permit ip any any

The 'in' and 'out' keyword used with the 'ip access-group' is viewed from the standpoint of the router itself. Hence, 'in' means traffic coming into the interface and 'out' means traffic leaving the interface. Use a difference ACL #, though not necessary, for inbound and outbound filtering.

HTH

Sundar

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card