2800 NAT Router SMAP Filtering

hirmoge123_2 · ‎09-29-2009

I have SPAM problem whenever we try to send email via Outlook the email immediantelly returns whith the error below:

Your message did not reach some or all of the intended recipients.

Subject: Voice Destination - Sudan

Sent: 9/30/2009 9:49 AM

The following recipient(s) cannot be reached:

'crc@telenor.com' on 9/30/2009 9:50 AM

451 Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=196.201.180.3

'hillaac@telcomsl.com' on 9/30/2009 9:50 AM

451 Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=196.201.180.3

After i run CBL Lookup Utility and delist it sometimes i can send the email, but again after sometime the problem occurs, and now this problem occurs on a daily basis.

The ip address 196.201.180.3 which is a public and NAT translator gets SPAM from some clients and CBL stops the email.

we don't have local email server and i need to filter and block all spams originated form our public and private IPs.

this is the commnad i used to stop the spam but still not working

access-list 15 permit 10.100.100.0 0.0.0.255

access-list 101 deny tcp any any eq smtp

access-list 101 permit ip any any

Giuseppe Larosa · ‎10-01-2009

Hello Hassan,

I don't see ACL 101 applied anywhere in your configuration.

I think you should modify the NAT configuration to be able to invoke an extended ACL to be able to block SMTP traffic before it is translated.

access-list 121 remark selective NAT

access-list 121 deny tcp 10.100.100.0 0.0.0.255 any eq smtp

access-list 121 permit ip 10.100.100.0 0.0.0.255 any

route-map selective-NAT permit 10

match ip address 121

then change the NAT global command:

no ip nat inside source list 15 interface FastEthernet0/0 overload

it becomes

ip nat inside source route-map selective-NAT interface FastEthernet0/0 overload

this will block every attempt to access SMTP servers from the inside private addresses.

to find out what PCs are trying to send all these emails you could use

access-list 102 permit tcp any any eq smtp log

access-list 102 permit ip any any

and you can apply this inbound on your internal (private) interface

int fas0/1

ip access-group 102 in

you can then look at the log messages on the router to find out user PCs

the two actions can be combined or you can try to use first ACL 102 to find out user PCs.

Those attempting to send many SMTP messages are likely those doing SPAM.

Hope to help

Giuseppe

hirmoge123_2 · ‎10-02-2009

Thanks for your assistant.

If i apply this configuration how it will affect normal outlook emails receive and send.

what is it if i need to allow specific ip to send/receive outlook emails

Giuseppe Larosa · ‎10-03-2009

Hello Hassan,

sorry access-list 121 would block any attempt to send mails.

so please don't apply the configuration I had suggested I apologize for this.

other note:

be aware that MS outlook may use different protocols then standard SMTP so you need to check how the mail clients are configured.

I think you should use a named ACL to be invoked in the NAT route-map.

in this way you can deny access to SMTP to specific hosts that you don't trust or that you have evidence are making spam activity.

something like

ip access-list extended mail_for_some

deny tcp host host1 any eq smtp

deny tcp host host2 any eq smtp

...

deny tcp host hostN any eq smtp

pemit ip yoursubnet any

The real trouble is that you should keep updated the ACL.

Hope to help

Giuseppe