Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Block outbound port 25

We are trying to block port 25 outbound for all workstations other than the Exchange server. Here is what we've done (192.168.77.40 is the server):

access-list 100 permit tcp host 192.168.77.40 any eq smtp

access-list 100 deny tcp 192.168.77.0 0.0.0.255 any eq smtp log

access-list 100 permit ip 192.168.77.40 0.0.0.255 any

We've tested it by going to a workstation and telnetting to another Exchange server on port 25. Unfortunately we can connect and the the block doesn't seem to be working. Can anyone help?

Thanks in advance!

12 REPLIES
Hall of Fame Super Blue

Re: Block outbound port 25

Charlie

What have you applied the acl on ie. which interface and in which direction relative to the clients.

Jon

New Member

Re: Block outbound port 25

Hi Jon,

I have applied them on Ethernet0, originating traffic

Thanks!

Hall of Fame Super Blue

Re: Block outbound port 25

Charlie

So ethernet0 is the interface connecting to the 192.168.77.0/24 network ?

And you have applied the acl in an inbound direction ie.

int eth0

ip access-group 100 in

Finally the exchange server you can ping is reachable via another interface off the router ?

Jon

New Member

Re: Block outbound port 25

Hi Jon,

Answering your last question first - yes, the Exchange server I'm pinging from a LAN workstation is not local (i.e. at a different company across the internet).

Yes, ethernet0 is connected to the 192.168.77.x subnet.

I thought it was being applied in the right direction, but may that is my problem (I'm certainly no CCNA). I will check this.

I have been trying to post a bit more of the configuration, but seem to be blocked by the forum rules (even when the WAN address has been replaced by x.x.x.x)

Thanks,

Charlie

Blue

Re: Block outbound port 25

Charlie, youre not being blocked by the forum. Theyre just giving you a reminder not to post sensitive material.

Post your config and let Jon look at it. Hes one of the best on here so yake advantage of his time. :-)

Victor

New Member

Re: Block outbound port 25

I've been trying to post the config, but every time I paste it in then the "Post" button does nothing (it's well under 4000 characters).

Thanks,

Charlie

New Member

Re: Block outbound port 25

One more try (this time using Google Chrome as the browser):

interface Ethernet0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 192.168.77.40 3389 interface Ethernet1 3389

ip nat inside source static tcp 192.168.77.40 25 interface Ethernet1 25

ip nat inside source static tcp 192.168.77.40 443 interface Ethernet1 443

ip nat inside source static tcp 192.168.77.40 444 interface Ethernet1 444

ip nat inside source static tcp 192.168.77.40 4125 interface Ethernet1 4125

!

logging trap debugging

access-list 1 remark INSIDE_IF=Ethernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.77.0 0.0.0.255

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip x.x.x.x 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 permit tcp host 192.168.77.40 any eq smtp

(x.x.x.x is the client's WAN address)

Thanks,

Charlie

New Member

Re: Block outbound port 25

One more try (this time using Google Chrome as the browser):

interface Ethernet0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 192.168.77.40 3389 interface Ethernet1 3389

ip nat inside source static tcp 192.168.77.40 25 interface Ethernet1 25

ip nat inside source static tcp 192.168.77.40 443 interface Ethernet1 443

ip nat inside source static tcp 192.168.77.40 444 interface Ethernet1 444

ip nat inside source static tcp 192.168.77.40 4125 interface Ethernet1 4125

!

logging trap debugging

access-list 1 remark INSIDE_IF=Ethernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.77.0 0.0.0.255

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip x.x.x.x 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 permit tcp host 192.168.77.40 any eq smtp

(x.x.x.x is the client's WAN address)

Thanks,

Charlie

Blue

Re: Block outbound port 25

Charlie, youre not being blocked by the forum. Theyre just giving you a reminder not to post sensitive material.

Post your config and let Jon look at it. Hes one of the best on here so take advantage of his time. :-)

Victor

New Member

Re: Block outbound port 25

Hi Jon,

I think my conversation got lost in the mix, but still hoping to solve the problem.

Using this configuration, we can telnet to another Exchange server, across the internet, from a PC on the LAN (exactly what we are trying to prevent - trying to insure that a malware comprimised PC can't spam).

interface Ethernet0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$

ip address 192.168.77.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ES_WAN$

ip address x.x.x.x 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip route-cache flow

duplex auto

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 192.168.77.40 3389 interface Ethernet1 3389

ip nat inside source static tcp 192.168.77.40 25 interface Ethernet1 25

ip nat inside source static tcp 192.168.77.40 443 interface Ethernet1 443

ip nat inside source static tcp 192.168.77.40 444 interface Ethernet1 444

ip nat inside source static tcp 192.168.77.40 4125 interface Ethernet1 4125

!

logging trap debugging

access-list 1 remark INSIDE_IF=Ethernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.77.0 0.0.0.255

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip x.x.x.x 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 permit tcp host 192.168.77.40 any eq smtp

(x.x.x.x is the client's WAN address)

I appreciate your help!

Charlie

Hall of Fame Super Blue

Re: Block outbound port 25

Charlie

Can you clarify. In your original post you have this as your acl -

access-list 100 permit tcp host 192.168.77.40 any eq smtp

access-list 100 deny tcp 192.168.77.0 0.0.0.255 any eq smtp log

access-list 100 permit ip 192.168.77.40 0.0.0.255 any

yet in the config example you sent -

access-list 100 remark auto-generated by Cisco SDM Express firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip x.x.x.x 0.0.0.3 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 permit tcp host 192.168.77.40 any eq smtp

the above will not stop 192.168.77.0/24 connecting to any exchange server on the internet as you have a "permit ip any any" in it.

Why is the actual acl on your router not matching what you put in your original post ?

Jon

New Member

Re: Block outbound port 25

Thank you very much Jon, that got me on the right track. The "permit ip any any" was there from the original configuration.

Everything is working as intended - I greatly appreciate your help!

2793
Views
0
Helpful
12
Replies