I have 3620 with very minimal programing: single Internet IP using an overloaded NAT to support a 192.168.1.0 network a few holes to allow SMPT, etc. I am having concerns that there might be SPAM originating from some Workstations in my network. I would like to shut down all outbound access to Port 25 except for my Exchange Server (192.168.1.20). If you would like to provide more input about other outbound restrictions, please include. I am just starting with SMPT for now.
My apologies for the simplicity of this post, I am not an CISCO engineer and it is always a struggle to make even the simplest change on the router.
router# config t
router(config)# no access-list 101
router(config)# access-list 101....
access-list 101 permit tcp host 192.168.1.20 any eq 25
access-list 101 deny tcp any any eq 25
access-list 101 permit ip any any
On the router interface that connects to your LAN eg fa0/1
ip access-group 101 in
The first line allowsyour exchange server to talk smtp to any server on the Internet.
The second line stops all other internal machines from initaiting SMTP connections.
The last line is just to allow everything else to flow normally.
Obviously if you want to restrict traffic further you can use deny statements before the permit ip any any at the end or if you know all the ports in use from the inside to the outside then you can just permit those ports and deny anything else.