cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
467
Views
0
Helpful
4
Replies

Restricting outbound SMTP on NAT'ed LAN

Newbie Question.

I have 3620 with very minimal programing: single Internet IP using an overloaded NAT to support a 192.168.1.0 network a few holes to allow SMPT, etc. I am having concerns that there might be SPAM originating from some Workstations in my network. I would like to shut down all outbound access to Port 25 except for my Exchange Server (192.168.1.20). If you would like to provide more input about other outbound restrictions, please include. I am just starting with SMPT for now.

My apologies for the simplicity of this post, I am not an CISCO engineer and it is always a struggle to make even the simplest change on the router.

Thank you.

Jonathan

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Hi Jonathan

access-list 101 permit tcp host 192.168.1.20 any eq 25

access-list 101 deny tcp any any eq 25

access-list 101 permit ip any any

On the router interface that connects to your LAN eg fa0/1

interface fa0/1

ip access-group 101 in

Explanation:-

The first line allowsyour exchange server to talk smtp to any server on the Internet.

The second line stops all other internal machines from initaiting SMTP connections.

The last line is just to allow everything else to flow normally.

Obviously if you want to restrict traffic further you can use deny statements before the permit ip any any at the end or if you know all the ports in use from the inside to the outside then you can just permit those ports and deny anything else.

HTH

Jon

View solution in original post

router# config t

router(config)# no access-list 101

router(config)# access-list 101....

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Hi Jonathan

access-list 101 permit tcp host 192.168.1.20 any eq 25

access-list 101 deny tcp any any eq 25

access-list 101 permit ip any any

On the router interface that connects to your LAN eg fa0/1

interface fa0/1

ip access-group 101 in

Explanation:-

The first line allowsyour exchange server to talk smtp to any server on the Internet.

The second line stops all other internal machines from initaiting SMTP connections.

The last line is just to allow everything else to flow normally.

Obviously if you want to restrict traffic further you can use deny statements before the permit ip any any at the end or if you know all the ports in use from the inside to the outside then you can just permit those ports and deny anything else.

HTH

Jon

Thanks.. However, I have another real stupid question. I have only learned to program the router through the CLI interface and I have never figured out how to move configuration lines around. I already had the "access-list 101 ip any any" and when I add the two other you mentioned, the add below the first one.

router# config t

router(config)# no access-list 101

router(config)# access-list 101....

Thanks it worked. I actually already tried this, but it did not work at first... my connection dropped and I thought my router crashed. Then after reading your response one lone brain cell clued in... I had just beheaded myself (no tcp --> no telnet). Entered the command from the router console interface and it worked like a charm.

Thanks for you help and patience.

Jonathan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: