05-14-2009 05:48 AM - edited 03-04-2019 04:45 AM
We are trying to block port 25 outbound for all workstations other than the Exchange server. Here is what we've done (192.168.77.40 is the server):
access-list 100 permit tcp host 192.168.77.40 any eq smtp
access-list 100 deny tcp 192.168.77.0 0.0.0.255 any eq smtp log
access-list 100 permit ip 192.168.77.40 0.0.0.255 any
We've tested it by going to a workstation and telnetting to another Exchange server on port 25. Unfortunately we can connect and the the block doesn't seem to be working. Can anyone help?
Thanks in advance!
05-14-2009 05:50 AM
Charlie
What have you applied the acl on ie. which interface and in which direction relative to the clients.
Jon
05-14-2009 07:00 AM
Hi Jon,
I have applied them on Ethernet0, originating traffic
Thanks!
05-14-2009 07:05 AM
Charlie
So ethernet0 is the interface connecting to the 192.168.77.0/24 network ?
And you have applied the acl in an inbound direction ie.
int eth0
ip access-group 100 in
Finally the exchange server you can ping is reachable via another interface off the router ?
Jon
05-15-2009 04:21 AM
Hi Jon,
Answering your last question first - yes, the Exchange server I'm pinging from a LAN workstation is not local (i.e. at a different company across the internet).
Yes, ethernet0 is connected to the 192.168.77.x subnet.
I thought it was being applied in the right direction, but may that is my problem (I'm certainly no CCNA). I will check this.
I have been trying to post a bit more of the configuration, but seem to be blocked by the forum rules (even when the WAN address has been replaced by x.x.x.x)
Thanks,
Charlie
05-15-2009 04:38 AM
Charlie, youre not being blocked by the forum. Theyre just giving you a reminder not to post sensitive material.
Post your config and let Jon look at it. Hes one of the best on here so yake advantage of his time. :-)
Victor
05-16-2009 07:08 AM
I've been trying to post the config, but every time I paste it in then the "Post" button does nothing (it's well under 4000 characters).
Thanks,
Charlie
05-16-2009 07:11 AM
One more try (this time using Google Chrome as the browser):
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ES_WAN$
ip address x.x.x.x 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip route-cache flow
duplex auto
no cdp enable
!
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ES_WAN$
ip address x.x.x.x 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip route-cache flow
duplex auto
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.77.40 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.77.40 25 interface Ethernet1 25
ip nat inside source static tcp 192.168.77.40 443 interface Ethernet1 443
ip nat inside source static tcp 192.168.77.40 444 interface Ethernet1 444
ip nat inside source static tcp 192.168.77.40 4125 interface Ethernet1 4125
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.77.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip x.x.x.x 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit tcp host 192.168.77.40 any eq smtp
(x.x.x.x is the client's WAN address)
Thanks,
Charlie
05-16-2009 07:12 AM
One more try (this time using Google Chrome as the browser):
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ES_WAN$
ip address x.x.x.x 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip route-cache flow
duplex auto
no cdp enable
!
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ES_WAN$
ip address x.x.x.x 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip route-cache flow
duplex auto
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.77.40 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.77.40 25 interface Ethernet1 25
ip nat inside source static tcp 192.168.77.40 443 interface Ethernet1 443
ip nat inside source static tcp 192.168.77.40 444 interface Ethernet1 444
ip nat inside source static tcp 192.168.77.40 4125 interface Ethernet1 4125
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.77.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip x.x.x.x 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit tcp host 192.168.77.40 any eq smtp
(x.x.x.x is the client's WAN address)
Thanks,
Charlie
05-15-2009 04:38 AM
Charlie, youre not being blocked by the forum. Theyre just giving you a reminder not to post sensitive material.
Post your config and let Jon look at it. Hes one of the best on here so take advantage of his time. :-)
Victor
05-31-2009 05:41 AM
Hi Jon,
I think my conversation got lost in the mix, but still hoping to solve the problem.
Using this configuration, we can telnet to another Exchange server, across the internet, from a PC on the LAN (exactly what we are trying to prevent - trying to insure that a malware comprimised PC can't spam).
interface Ethernet0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ES_WAN$
ip address x.x.x.x 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip route-cache flow
duplex auto
no cdp enable
!
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
ip address 192.168.77.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
!
interface Ethernet1
description $FW_OUTSIDE$$ES_WAN$
ip address x.x.x.x 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip route-cache flow
duplex auto
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 192.168.77.40 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.77.40 25 interface Ethernet1 25
ip nat inside source static tcp 192.168.77.40 443 interface Ethernet1 443
ip nat inside source static tcp 192.168.77.40 444 interface Ethernet1 444
ip nat inside source static tcp 192.168.77.40 4125 interface Ethernet1 4125
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.77.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip x.x.x.x 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit tcp host 192.168.77.40 any eq smtp
(x.x.x.x is the client's WAN address)
I appreciate your help!
Charlie
05-31-2009 11:55 AM
Charlie
Can you clarify. In your original post you have this as your acl -
access-list 100 permit tcp host 192.168.77.40 any eq smtp
access-list 100 deny tcp 192.168.77.0 0.0.0.255 any eq smtp log
access-list 100 permit ip 192.168.77.40 0.0.0.255 any
yet in the config example you sent -
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip x.x.x.x 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit tcp host 192.168.77.40 any eq smtp
the above will not stop 192.168.77.0/24 connecting to any exchange server on the internet as you have a "permit ip any any" in it.
Why is the actual acl on your router not matching what you put in your original post ?
Jon
06-09-2009 03:24 AM
Thank you very much Jon, that got me on the right track. The "permit ip any any" was there from the original configuration.
Everything is working as intended - I greatly appreciate your help!
09-05-2020 01:09 AM - edited 09-05-2020 01:10 AM
I was able to make this work
I want to block all smtp traffic except inbound from our smart host how do we do this
if our smart host is smarthost121.appriver.com
our Exchange Server on port 192.168.0.11 should only make oubound connections on port 25 to the smarhost
we get a lot of spoofing because of this some mail servers are still direct sending up garbage.
09-05-2020 02:18 PM
Hello,
a Zone Based Firewall can do that. Do you simply want to restrict SMTP traffic, and allow everything else both ways ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: