Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Denying SMTP Connections

Hi,

I have a server on my network which is advertised to the internet. I have been seeing SMTP connections from the internet address space do this server. If I want to deny SMPT connections to the server can I do the following

ip access 133 remark block smtp connections

access-list 133 deny any <host IP> eq smtp?

Would this block the connections? Do I have to apply this to the Interface(s) that connect to my ISP?

Thanks to Satish, I now know how to debug the source addresses from the access-list.

Thanks for help.

I do have a PIX firewall at the ISP that provides our prim internet connection and would prefer to stop it there but I am still new to the PIX configuration and would rather for now block in at the router entry points to my network.

Any help would do.

Thanks

Brad

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Denying SMTP Connections

You would need to apply it only inbound on the interface as the traffic is coming from outside --> inside only. However, if you want to block outbound SMTP as well then the ACE needs to reversed.

access-list 132 deny tcp host eq smtp any

access-list 132 permit ip any any

The 'in' and 'out' keyword used with the 'ip access-group' is viewed from the standpoint of the router itself. Hence, 'in' means traffic coming into the interface and 'out' means traffic leaving the interface. Use a difference ACL #, though not necessary, for inbound and outbound filtering.

HTH

Sundar

3 REPLIES

Re: Denying SMTP Connections

Your approach is correct but your syntax is slightly off. Also, remember there's an implicit deny at the end of any ACL and hence, add an ACE to allow all other IP traffic after the deny statement. Apply the ACL inbound on the interface that connects to the Internet. You need an ACL similar to this one;

access-list 133 deny tcp any host eq smtp

access-list 133 permit ip any any

HTH

Sundar

New Member

Re: Denying SMTP Connections

Thanks Sundar,

Do I appply it as an

ip access-group 101 in

ip access-group 101 out

?

This won't break anything else?

Re: Denying SMTP Connections

You would need to apply it only inbound on the interface as the traffic is coming from outside --> inside only. However, if you want to block outbound SMTP as well then the ACE needs to reversed.

access-list 132 deny tcp host eq smtp any

access-list 132 permit ip any any

The 'in' and 'out' keyword used with the 'ip access-group' is viewed from the standpoint of the router itself. Hence, 'in' means traffic coming into the interface and 'out' means traffic leaving the interface. Use a difference ACL #, though not necessary, for inbound and outbound filtering.

HTH

Sundar

103
Views
5
Helpful
3
Replies
CreatePlease to create content