Prevent spam before router

Unanswered Question
Jul 13th, 2009


We are a small ISP and we have a problem in one of our locations, we have a Router 2811 with 5Mb of internet and around 50 clients behind, the router in the WAN interface have a public IP and is doing NAT to the LAN interface of clients and the problem is that one or more clients PCs are sending spam to the internet and that's why the public IP of the WAN interface is too often in some DNSBLs or blacklist and some other clients when they send emails from they own domains doesn't arrive because it's say that the IP of the WAN interface is in a blacklist.

The question is, can we do something to prevent this without have to change the public IP????

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Tue, 07/14/2009 - 13:24

You bet. Apply an ACL on the LAN interface denying the end users SMTP access but allowing your mail server. Assume your mail server is

ip access-list extended FILTER_OUTBOUND

permit tcp host any eq 25

deny tcp any any eq 25 log (log is optional)

permit ip any any

interface fa0/1

ip access-group FILTER_OUTBOUND in

Hope that helps.

Pavel Bykov Mon, 07/20/2009 - 05:53

Also, there are professional solutions from Cisco, such as IRONPORT, that will solve the problem for you based on the complex scores of the traffic. We use them and I have nothing but praise for them. Also, the licensing is very attractive.


This Discussion