Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

firewall to protect mail server

my router = Cisco 2651XM with wic-adsl card.

IOS = c2600-adventerprisek9-mz.124-2.T.bin

I've set up a mail server computer at my home and I was wondering if there are any known good router firewall settings that will hinder spammers relaying junk mail through my mail server. I know there are several things I can do on the server machine itself, but I'd also like to stop them at the router if that's possible.

I know I can filter traffic based on outside IP address but people's ip addresses change all the time so that's not a viable approach. Is it possible to filter outside traffic based on an outside mac address?

Thanks for any advice.


Re: firewall to protect mail server

MAC acls can be used for filtering the traffic based on MAC address.MAC ACLs are applied on incoming traffic on Gigabit Ethernet interfaces and VLAN subinterfaces. After a networking device receives a packet, the Cisco IOS software checks the source MAC address of the Gigabit Ethernet, 802.1Q VLAN, or 802.1Q-in-Q packet against the access list. If the MAC access list permits the address, the software continues to process the packet. If the access list denies the address, the software discards the packet and returns an Internet Control Message Protocol (ICMP) host unreachable message.If the specified MAC ACL does not exist on the interface or subinterface, all packets are passed.

New Member

Re: firewall to protect mail server

thanks for your response hadbou, Im glad to hear mac filtering is possible. I was looking on google but I'm finding it hard to understand what the correct acl command should be for this. I found this example command:

access-list 700 per 001c.baba.ca1b 0000.0000.0000

(where "001c.baba.ca1b 0000.0000.0000" is replaced with real mac addresses) but I need the permit rule to be on ports 25 and 110 (smtp and pop3) coming into Dialer0 from outside. Do you know what the correct command should be? maybe something like...

access-list 700 permit aaaa.aaaa.aaaa Dialer0 25 (?)

Attached is my running config, thanks for any advice.

CreatePlease to create content