Restricting outbound SMTP on NAT'ed LAN

Answered Question
Aug 29th, 2007

Newbie Question.

I have 3620 with very minimal programing: single Internet IP using an overloaded NAT to support a 192.168.1.0 network a few holes to allow SMPT, etc. I am having concerns that there might be SPAM originating from some Workstations in my network. I would like to shut down all outbound access to Port 25 except for my Exchange Server (192.168.1.20). If you would like to provide more input about other outbound restrictions, please include. I am just starting with SMPT for now.

My apologies for the simplicity of this post, I am not an CISCO engineer and it is always a struggle to make even the simplest change on the router.

Thank you.

Jonathan

I have this problem too.
0 votes
Correct Answer by ohassairi about 9 years 4 months ago

router# config t

router(config)# no access-list 101

router(config)# access-list 101....

Correct Answer by Jon Marshall about 9 years 4 months ago

Hi Jonathan

access-list 101 permit tcp host 192.168.1.20 any eq 25

access-list 101 deny tcp any any eq 25

access-list 101 permit ip any any

On the router interface that connects to your LAN eg fa0/1

interface fa0/1

ip access-group 101 in

Explanation:-

The first line allowsyour exchange server to talk smtp to any server on the Internet.

The second line stops all other internal machines from initaiting SMTP connections.

The last line is just to allow everything else to flow normally.

Obviously if you want to restrict traffic further you can use deny statements before the permit ip any any at the end or if you know all the ports in use from the inside to the outside then you can just permit those ports and deny anything else.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 08/29/2007 - 22:38

Hi Jonathan

access-list 101 permit tcp host 192.168.1.20 any eq 25

access-list 101 deny tcp any any eq 25

access-list 101 permit ip any any

On the router interface that connects to your LAN eg fa0/1

interface fa0/1

ip access-group 101 in

Explanation:-

The first line allowsyour exchange server to talk smtp to any server on the Internet.

The second line stops all other internal machines from initaiting SMTP connections.

The last line is just to allow everything else to flow normally.

Obviously if you want to restrict traffic further you can use deny statements before the permit ip any any at the end or if you know all the ports in use from the inside to the outside then you can just permit those ports and deny anything else.

HTH

Jon

silverreefcasinoIT Tue, 09/04/2007 - 09:39

Thanks.. However, I have another real stupid question. I have only learned to program the router through the CLI interface and I have never figured out how to move configuration lines around. I already had the "access-list 101 ip any any" and when I add the two other you mentioned, the add below the first one.

Correct Answer
ohassairi Tue, 09/04/2007 - 10:14

router# config t

router(config)# no access-list 101

router(config)# access-list 101....

silverreefcasinoIT Tue, 09/04/2007 - 11:56

Thanks it worked. I actually already tried this, but it did not work at first... my connection dropped and I thought my router crashed. Then after reading your response one lone brain cell clued in... I had just beheaded myself (no tcp --> no telnet). Entered the command from the router console interface and it worked like a charm.

Thanks for you help and patience.

Jonathan

Actions

This Discussion