07-13-2009 02:08 PM
Hi,
We are a small ISP and we have a problem in one of our locations, we have a Router 2811 with 5Mb of internet and around 50 clients behind, the router in the WAN interface have a public IP and is doing NAT to the LAN interface of clients and the problem is that one or more clients PCs are sending spam to the internet and that's why the public IP of the WAN interface is too often in some DNSBLs or blacklist and some other clients when they send emails from they own domains doesn't arrive because it's say that the IP of the WAN interface is in a blacklist.
The question is, can we do something to prevent this without have to change the public IP????
07-14-2009 01:24 PM
You bet. Apply an ACL on the LAN interface denying the end users SMTP access but allowing your mail server. Assume your mail server is 192.168.1.5.
ip access-list extended FILTER_OUTBOUND
permit tcp host 192.168.1.5 any eq 25
deny tcp any any eq 25 log (log is optional)
permit ip any any
interface fa0/1
ip access-group FILTER_OUTBOUND in
Hope that helps.
07-20-2009 05:53 AM
Also, there are professional solutions from Cisco, such as IRONPORT, that will solve the problem for you based on the complex scores of the traffic. We use them and I have nothing but praise for them. Also, the licensing is very attractive.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide