×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

block all outgoing traffic on port 25 while still allowing only exchange traffic on port 25?

Unanswered Question
Jul 18th, 2013
User Badges:

this is probably an easy question for most..


It seems that my exchange server or a client on my network has been compromised and my exchange server or an outlook client being used to send spam. Our IP has landed on a couple blacklists. In an attempt to block these clients i want to create a rule to block outbound traffic on port 25 accept from the exchange server. My exchange servers IP is 192.168.7.200 what commands do i need to apply to this config to achieve this?


Thanks in advance..


Current configuration : 11313 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname router

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096

logging console critical

enable secret 5

!

--More--                           aaa new-model

!

!

aaa authentication login default local

aaa authentication login vpnclient local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login userauth local

aaa authorization exec default local

aaa authorization network localgroups local

aaa authorization network vpnclient-group local

!

!

aaa session-id common

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-*****

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-********

revocation-check none

rsakeypair TP-self-sig-********

!

!

--More--                           crypto pki certificate chain TP-self-signed-********

certificate self-signed 01

 

   quit

dot11 syslog

no ip source-route

--More--                           !

!

no ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.7.1

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.7.0 255.255.255.0

   dns-server 192.168.7.244

   default-router 192.168.7.1

!

!

no ip bootp server

ip name-server 192.168.7.197

ip name-server 68.237.161.12

ip inspect log drop-pkt

!

multilink bundle-name authenticated

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

--More--                            accept-dialin

  protocol pptp

  virtual-template 1

!

!

!

username ***************

username vpnclient password **************

!

crypto keyring dmvpnspokes

  pre-shared-key address 0.0.0.0 0.0.0.0 key **********

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

--More--                           crypto isakmp client configuration group remoteusers

key remoteusers

dns 192.168.7.197

pool vpnpool

!

crypto isakmp client configuration group vpnclient-group

key cisco123

dns 192.168.7.197

pool vpnclientpool

acl 132

crypto isakmp profile vpnclient-profile

   match identity group vpnclient-group

   client authentication list userauth

   isakmp authorization list vpnclient-group

   client configuration address respond

crypto isakmp profile DMVPN

   keyring dmvpnspokes

   match identity address 0.0.0.0

!

!

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

crypto ipsec transform-set l2tpset esp-3des esp-md5-hmac

mode transport

--More--                           crypto ipsec df-bit clear

!

crypto ipsec profile myprofile

set transform-set 3des-sha

set isakmp-profile DMVPN

!

!

crypto dynamic-map dynmap 10

set transform-set 3des-sha

set isakmp-profile vpnclient-profile

!

!

crypto map mymap 50 ipsec-isakmp dynamic dynmap

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

--More--                           class-map type inspect match-all TEST

match access-group 110

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

--More--                            match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

--More--                            class type inspect ccp-insp-traffic

  inspect

class class-default

policy-map type inspect ccp-permit

class type inspect TEST

  inspect

class class-default

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

!

interface Tunnel0

bandwidth 1000

ip address 10.10.5.1 255.255.255.0

no ip redirects

--More--                            ip mtu 1460

ip nhrp authentication cisco123

ip nhrp map multicast dynamic

ip nhrp network-id 1

ip nhrp holdtime 600

ip tcp adjust-mss 1400

ip ospf network broadcast

ip ospf priority 2

ip ospf mtu-ignore

delay 1000

tunnel source FastEthernet0

tunnel mode gre multipoint

tunnel protection ipsec profile myprofile

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

ip route-cache flow

shutdown

!

--More--                           interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address x.x.x.x 255.255.255.0

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

--More--                           interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1

ip unnumbered FastEthernet0

peer default ip address pool pptp-pool

no keepalive

ppp encrypt mppe auto

ppp authentication pap chap ms-chap

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

--More--                            ip address 192.168.7.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1360

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1200

ip policy route-map clear-df

!

router ospf 10

log-adjacency-changes

network 10.10.5.0 0.0.0.255 area 0

network 192.168.7.0 0.0.0.255 area 0

!

ip local pool vpnpool 192.168.200.1 192.168.200.254

ip local pool vpnclientpool 192.168.8.160 192.168.8.200

ip local pool pptp-pool 192.168.9.160 192.168.9.200

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

!

--More--                           ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 194 interface FastEthernet0 overload

ip nat inside source static tcp 192.168.7.200 25 interface FastEthernet0 25

ip nat inside source static tcp 192.168.7.200 443 interface FastEthernet0 443

ip nat inside source static udp 192.168.7.200 443 interface FastEthernet0 443

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.7.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 96.246.158.0 0.0.0.255 any

access-list 110 permit ip any host 96.246.158.15

access-list 132 permit ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 194 deny   ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 194 permit ip 192.168.7.0 0.0.0.255 any

access-list 199 permit ip host 192.168.7.197 192.168.9.0 0.0.0.255

access-list 199 permit ip host 192.168.7.197 192.168.6.0 0.0.0.255

access-list 199 permit ip host 192.168.7.97 192.168.11.0 0.0.0.255

access-list 199 permit ip host 192.168.7.197 192.168.201.0 0.0.0.255

access-list 199 permit ip host 192.168.7.197 192.168.12.0 0.0.0.255

no cdp run

!

!

!

route-map clear-df permit 10

match ip address 199

set ip df 0

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------


Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

--More--                           already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.


It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.


username <myuser> privilege 15 secret 0 <mypassword>


Replace <myuser> and <mypassword> with the username and password you want to

use.


-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

--More--                            exec-timeout 0 0

privilege level 15

transport input telnet ssh

line vty 5 7

privilege level 15

transport input telnet ssh

line vty 8 15

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn gateway gateway_1

ip address x.x.x.x port 8443

http-redirect port 80

ssl trustpoint TP-self-signed-4273367397

inservice

!

webvpn context RemoteSSL

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

--More--                            !

!

policy group policy_1

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mvsheik123 Thu, 07/18/2013 - 09:17
User Badges:
  • Gold, 750 points or more

Hi,


Looks like your exchange server is in Vlan1. Try this ACL (during maintenance window)..


---------------------------------------------------------------------

!

access-list 102 permit tcp host 192.168.7.200 any eq smtp

access-list 102 deny   tcp any any eq smtp

access-list 102 permit ip any any

!

int vla1

ip access-group 102 in

!

This will let 192.168.7.200 allow to make any port 25 (SMTP) connections to outside, while deny from rest of the IPs. As you want rest of the traffic to go, you need 'ip any any' at the end.

---------------------------------------------------------------------------------------------------

hth

MS

Actions

This Discussion