Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Restricting outbound SMTP on NAT'ed LAN

Newbie Question.

I have 3620 with very minimal programing: single Internet IP using an overloaded NAT to support a 192.168.1.0 network a few holes to allow SMPT, etc. I am having concerns that there might be SPAM originating from some Workstations in my network. I would like to shut down all outbound access to Port 25 except for my Exchange Server (192.168.1.20). If you would like to provide more input about other outbound restrictions, please include. I am just starting with SMPT for now.

My apologies for the simplicity of this post, I am not an CISCO engineer and it is always a struggle to make even the simplest change on the router.

Thank you.

Jonathan

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: Restricting outbound SMTP on NAT'ed LAN

Hi Jonathan

access-list 101 permit tcp host 192.168.1.20 any eq 25

access-list 101 deny tcp any any eq 25

access-list 101 permit ip any any

On the router interface that connects to your LAN eg fa0/1

interface fa0/1

ip access-group 101 in

Explanation:-

The first line allowsyour exchange server to talk smtp to any server on the Internet.

The second line stops all other internal machines from initaiting SMTP connections.

The last line is just to allow everything else to flow normally.

Obviously if you want to restrict traffic further you can use deny statements before the permit ip any any at the end or if you know all the ports in use from the inside to the outside then you can just permit those ports and deny anything else.

HTH

Jon

Silver

Re: Restricting outbound SMTP on NAT'ed LAN

router# config t

router(config)# no access-list 101

router(config)# access-list 101....

4 REPLIES
Hall of Fame Super Blue

Re: Restricting outbound SMTP on NAT'ed LAN

Hi Jonathan

access-list 101 permit tcp host 192.168.1.20 any eq 25

access-list 101 deny tcp any any eq 25

access-list 101 permit ip any any

On the router interface that connects to your LAN eg fa0/1

interface fa0/1

ip access-group 101 in

Explanation:-

The first line allowsyour exchange server to talk smtp to any server on the Internet.

The second line stops all other internal machines from initaiting SMTP connections.

The last line is just to allow everything else to flow normally.

Obviously if you want to restrict traffic further you can use deny statements before the permit ip any any at the end or if you know all the ports in use from the inside to the outside then you can just permit those ports and deny anything else.

HTH

Jon

Re: Restricting outbound SMTP on NAT'ed LAN

Thanks.. However, I have another real stupid question. I have only learned to program the router through the CLI interface and I have never figured out how to move configuration lines around. I already had the "access-list 101 ip any any" and when I add the two other you mentioned, the add below the first one.

Silver

Re: Restricting outbound SMTP on NAT'ed LAN

router# config t

router(config)# no access-list 101

router(config)# access-list 101....

Re: Restricting outbound SMTP on NAT'ed LAN

Thanks it worked. I actually already tried this, but it did not work at first... my connection dropped and I thought my router crashed. Then after reading your response one lone brain cell clued in... I had just beheaded myself (no tcp --> no telnet). Entered the command from the router console interface and it worked like a charm.

Thanks for you help and patience.

Jonathan

155
Views
0
Helpful
4
Replies