Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Basic IOS Filtering Question

Hi,

I have a fairly basic question. We have a very small network, but have seen spam on the rise recently. It comes from a limited number of domains and I would like to block it at the Router level, so my email server does not even need to see it. However, I've added (what I think are) the appropriate access-list lines and email from those subnets still seems to be passing through. Can someone help. An example of the line that I have is:

access-list 101 deny ip 207.33.16.0 0.0.0.255 any

(I think this blocks ips in the range 207.33.16.0 - 207.33.16.255).

Also, if there is a better (but free) way of blocking incoming spam traffic at the router level, I would love to hear it. We run MS Exchange and it's filtering seems completely inept.

Thanks for any help.

3 REPLIES
Cisco Employee

Re: Basic IOS Filtering Question

The access-list you show would drop all traffic from 207.33.16.0-255, assuming you have it applied INBOUND on your outside interface, for example:

int serial 0

description Interface to Internet

ip access-group 101 in

Keep in mind though that at the end of every access-list, there's an implicit "deny all", so if you just have the above line in your ACL, it will actually block ALL traffic. A better way to do this would be to just filter SMTP traffic with the following:

access-list 101 deny tcp 207.33.16.0 0.0.0.255 any eq smtp

access-list 101 permit ip any any

Having said that, this is still not a very good way to block spam, since the spam could be coming from any number of different SMTP servers on the Internet. There is really no good way to block it from the router unfortunately, you're better off doing it from your internal mail gateway.

New Member

Re: Basic IOS Filtering Question

Thanks for the reply. Yes - I have this set inbound on my outside interface.....Hmm, I wonder if it has anything to do with the other filters I have....to be more complete, here is an extended smaple. My email server ip is 198.234.234.5 (not real) in this example.

access-list 101 deny ip 207.33.16.0 0.0.0.255

access-list 101 permit tcp any any established

access-list 101 permit udp any host 198.234.234.5 eq smtp

access-list 101 permit ip any host 198.234.234.5

So - do the last three cancel out the first one - or should this configuration work? I'll look into the firewall product as well.

The reasons I want to block it at the router are (a) it seems to be coming from a reasonably well defined set of spammers and (b) the filtering in MS Exchange (my email server) is just terrible. I started with Exchange filtering and it has just had a 0% success rate. My next step is to purchase a mail spam protection system, but I'm trying to avoid that if I can.

(Plus, it always help to learn more about the capabilities and configuration of the router).

Cisco Employee

Re: Basic IOS Filtering Question

Well, on a router, there are several ways to do this, but most elegant would be using IOS Firewall IDS technique which also takes care of spam attacks, (but the IOS FW image is not free)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/ios_ids.htm#xtocid96

Also you could look into CAR to limit the bandwidth for SMTP traffic, below is not exactly a sample config, but just to give you an idea how to use CAR;

http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html

HTH

R/Yusuf

214
Views
0
Helpful
3
Replies