cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7153
Views
0
Helpful
14
Replies

Block outbound port 25

chaswood999
Level 1
Level 1

We are trying to block port 25 outbound for all workstations other than the Exchange server. Here is what we've done (192.168.77.40 is the server):

access-list 100 permit tcp host 192.168.77.40 any eq smtp

access-list 100 deny tcp 192.168.77.0 0.0.0.255 any eq smtp log

access-list 100 permit ip 192.168.77.40 0.0.0.255 any

We've tested it by going to a workstation and telnetting to another Exchange server on port 25. Unfortunately we can connect and the the block doesn't seem to be working. Can anyone help?

Thanks in advance!

14 Replies 14

Jon Marshall
Hall of Fame
Hall of Fame

Charlie

What have you applied the acl on ie. which interface and in which direction relative to the clients.

Jon

Hi Jon,

I have applied them on Ethernet0, originating traffic

Thanks!

Charlie

So ethernet0 is the interface connecting to the 192.168.77.0/24 network ?

And you have applied the acl in an inbound direction ie.

int eth0

ip access-group 100 in

Finally the exchange server you can ping is reachable via another interface off the router ?

Jon

Hi Jon,

Answering your last question first - yes, the Exchange server I'm pinging from a LAN workstation is not local (i.e. at a different company across the internet).

Yes, ethernet0 is connected to the 192.168.77.x subnet.

I thought it was being applied in the right direction, but may that is my problem (I'm certainly no CCNA). I will check this.

I have been trying to post a bit more of the configuration, but seem to be blocked by the forum rules (even when the WAN address has been replaced by x.x.x.x)

Thanks,

Charlie

Charlie, youre not being blocked by the forum. Theyre just giving you a reminder not to post sensitive material.

Post your config and let Jon look at it. Hes one of the best on here so yake advantage of his time. :-)

Victor

I've been trying to post the config, but every time I paste it in then the "Post" button does nothing (it's well under 4000 characters).

Thanks,

Charlie

One more try (this time using Google Chrome as the browser):

interface Ethernet0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 192.168.77.40 3389 interface Ethernet1 3389

ip nat inside source static tcp 192.168.77.40 25 interface Ethernet1 25

ip nat inside source static tcp 192.168.77.40 443 interface Ethernet1 443

ip nat inside source static tcp 192.168.77.40 444 interface Ethernet1 444

ip nat inside source static tcp 192.168.77.40 4125 interface Ethernet1 4125

!

logging trap debugging

access-list 1 remark INSIDE_IF=Ethernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.77.0 0.0.0.255

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip x.x.x.x 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 permit tcp host 192.168.77.40 any eq smtp

(x.x.x.x is the client's WAN address)

Thanks,

Charlie

One more try (this time using Google Chrome as the browser):

interface Ethernet0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 192.168.77.40 3389 interface Ethernet1 3389

ip nat inside source static tcp 192.168.77.40 25 interface Ethernet1 25

ip nat inside source static tcp 192.168.77.40 443 interface Ethernet1 443

ip nat inside source static tcp 192.168.77.40 444 interface Ethernet1 444

ip nat inside source static tcp 192.168.77.40 4125 interface Ethernet1 4125

!

logging trap debugging

access-list 1 remark INSIDE_IF=Ethernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.77.0 0.0.0.255

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip x.x.x.x 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 permit tcp host 192.168.77.40 any eq smtp

(x.x.x.x is the client's WAN address)

Thanks,

Charlie

Charlie, youre not being blocked by the forum. Theyre just giving you a reminder not to post sensitive material.

Post your config and let Jon look at it. Hes one of the best on here so take advantage of his time. :-)

Victor

Hi Jon,

I think my conversation got lost in the mix, but still hoping to solve the problem.

Using this configuration, we can telnet to another Exchange server, across the internet, from a PC on the LAN (exactly what we are trying to prevent - trying to insure that a malware comprimised PC can't spam).

interface Ethernet0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 192.168.77.40 3389 interface Ethernet1 3389

ip nat inside source static tcp 192.168.77.40 25 interface Ethernet1 25

ip nat inside source static tcp 192.168.77.40 443 interface Ethernet1 443

ip nat inside source static tcp 192.168.77.40 444 interface Ethernet1 444

ip nat inside source static tcp 192.168.77.40 4125 interface Ethernet1 4125

!

logging trap debugging

access-list 1 remark INSIDE_IF=Ethernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.77.0 0.0.0.255

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip x.x.x.x 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 permit tcp host 192.168.77.40 any eq smtp

(x.x.x.x is the client's WAN address)

I appreciate your help!

Charlie

Charlie

Can you clarify. In your original post you have this as your acl -

access-list 100 permit tcp host 192.168.77.40 any eq smtp

access-list 100 deny tcp 192.168.77.0 0.0.0.255 any eq smtp log

access-list 100 permit ip 192.168.77.40 0.0.0.255 any

yet in the config example you sent -

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip x.x.x.x 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 permit tcp host 192.168.77.40 any eq smtp

the above will not stop 192.168.77.0/24 connecting to any exchange server on the internet as you have a "permit ip any any" in it.

Why is the actual acl on your router not matching what you put in your original post ?

Jon

Thank you very much Jon, that got me on the right track. The "permit ip any any" was there from the original configuration.

Everything is working as intended - I greatly appreciate your help!

CompTroubLV
Level 1
Level 1

I was able to make this work

I want to block all smtp traffic except inbound from our smart host how do we do this

if our smart host is smarthost121.appriver.com

our Exchange Server on port 192.168.0.11 should only make oubound connections on port 25 to the smarhost

we get a lot of spoofing because of this some mail servers are still direct sending up garbage.

Hello,

 

a Zone Based Firewall can do that. Do you simply want to restrict SMTP traffic, and allow everything else both ways ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: