Hi,

I guess this is the classic example when you need to block internal machines to send spam out if they get infected by a virus or trojan. If this is not in place your external IP can be blacklisted.

If my guess is correct you have to do something like this:

access-list INSIDE_IN extended permit tcp host 192.168.11.13 any eq 25

access-list INSIDE_IN extended deny tcp any any eq 25

access-list INSIDE_IN extended permit ip any any

If you want to use groups you can do the following:

object-group service SMTP_PORT

service-object tcp eq smtp

object-group network SMTP_SERVER

network-object host 192.168.11.13

access-list INSIDE_IN extended permit object-group SMTP_PORT object-group SMTP_SERVER any

access-list INSIDE_IN extended deny object-group SMTP_PORT any any

access-list INSIDE_IN extended permit ip any any

Order is the key thing here!

Regards

Mariusz

Thank you for fast reply.

It is working now. My running config dou you have some suggestions ?

:

show run

Building configuration...

Current configuration : 3204 bytes

!

version 15.1

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

!

dot11 syslog

ip source-route

!

!

!

!

!

ip cef

ip domain name ...

ip name-server ...

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

!

!

!

redundancy

!

!

ip ssh time-out 60

ip ssh version 2

!

!

!

!

!

!

!

interface FastEthernet0/0

description wan

ip address (wan IP) 255.252.0.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

description INSIDE_LAN

no ip address

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1.1

description VLAN1

encapsulation dot1Q 1 native

ip address 192.168.10.3 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.2

description VLAN2

encapsulation dot1Q 2

ip address 192.168.11.2 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.3

description VLAN3

encapsulation dot1Q 3

ip address 192.168.12.3 255.255.255.0

ip access-group 103 in

ip nat inside

ip virtual-reassembly in

!

ip default-gateway (...wan GW...)

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list 100 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.11.13 80 interface FastEthernet0/0 80

ip nat inside source static tcp 192.168.11.13 25 interface FastEthernet0/0 25

ip nat inside source static tcp 192.168.11.13 587 interface FastEthernet0/0 587

ip nat inside source static tcp 192.168.11.13 993 interface FastEthernet0/0 993

ip default-network 192.168.11.0

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 permanent

ip route 172.20.96.132 255.255.255.255 192.168.11.3

ip route 172.20.100.132 255.255.255.255 192.168.11.3

!

logging esm config

access-list 1 permit 192.168.11.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 100 permit ip 192.168.11.0 0.0.0.255 any

access-list 100 permit ip 192.168.12.0 0.0.0.255 any

access-list 101 permit tcp any host 192.168.11.13 eq smtp

access-list 101 deny   tcp any any eq smtp

access-list 101 permit ip any any

access-list 102 permit tcp host 192.168.11.13 any eq smtp

access-list 102 deny   tcp any any eq smtp

access-list 102 permit ip any any

access-list 103 permit tcp any host 192.168.11.13 eq smtp

access-list 103 deny   tcp any any eq smtp

access-list 103 permit ip any any

!

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

access-class 1 in

exec-timeout 20 0

password ...

login local

transport input ssh

!

scheduler allocate 20000 1000

end