07-18-2013 08:36 AM - edited 03-11-2019 07:14 PM
this is probably an easy question for most..
It seems that my exchange server or a client on my network has been compromised and my exchange server or an outlook client being used to send spam. Our IP has landed on a couple blacklists. In an attempt to block these clients i want to create a rule to block outbound traffic on port 25 accept from the exchange server. My exchange servers IP is 192.168.7.200 what commands do i need to apply to this config to achieve this?
Thanks in advance..
Current configuration : 11313 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5
!
--More-- aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnclient local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network localgroups local
aaa authorization network vpnclient-group local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*****
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-********
revocation-check none
rsakeypair TP-self-sig-********
!
!
--More-- crypto pki certificate chain TP-self-signed-********
certificate self-signed 01
quit
dot11 syslog
no ip source-route
--More-- !
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.7.1
!
ip dhcp pool ccp-pool1
import all
network 192.168.7.0 255.255.255.0
dns-server 192.168.7.244
default-router 192.168.7.1
!
!
no ip bootp server
ip name-server 192.168.7.197
ip name-server 68.237.161.12
ip inspect log drop-pkt
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
--More-- accept-dialin
protocol pptp
virtual-template 1
!
!
!
username ***************
username vpnclient password **************
!
crypto keyring dmvpnspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key **********
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
--More-- crypto isakmp client configuration group remoteusers
key remoteusers
dns 192.168.7.197
pool vpnpool
!
crypto isakmp client configuration group vpnclient-group
key cisco123
dns 192.168.7.197
pool vpnclientpool
acl 132
crypto isakmp profile vpnclient-profile
match identity group vpnclient-group
client authentication list userauth
isakmp authorization list vpnclient-group
client configuration address respond
crypto isakmp profile DMVPN
keyring dmvpnspokes
match identity address 0.0.0.0
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set l2tpset esp-3des esp-md5-hmac
mode transport
--More-- crypto ipsec df-bit clear
!
crypto ipsec profile myprofile
set transform-set 3des-sha
set isakmp-profile DMVPN
!
!
crypto dynamic-map dynmap 10
set transform-set 3des-sha
set isakmp-profile vpnclient-profile
!
!
crypto map mymap 50 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
--More-- class-map type inspect match-all TEST
match access-group 110
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
--More-- match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
--More-- class type inspect ccp-insp-traffic
inspect
class class-default
policy-map type inspect ccp-permit
class type inspect TEST
inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface Tunnel0
bandwidth 1000
ip address 10.10.5.1 255.255.255.0
no ip redirects
--More-- ip mtu 1460
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip tcp adjust-mss 1400
ip ospf network broadcast
ip ospf priority 2
ip ospf mtu-ignore
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel protection ipsec profile myprofile
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
--More-- interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address x.x.x.x 255.255.255.0
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
--More-- interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool pptp-pool
no keepalive
ppp encrypt mppe auto
ppp authentication pap chap ms-chap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
--More-- ip address 192.168.7.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1360
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1200
ip policy route-map clear-df
!
router ospf 10
log-adjacency-changes
network 10.10.5.0 0.0.0.255 area 0
network 192.168.7.0 0.0.0.255 area 0
!
ip local pool vpnpool 192.168.200.1 192.168.200.254
ip local pool vpnclientpool 192.168.8.160 192.168.8.200
ip local pool pptp-pool 192.168.9.160 192.168.9.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
--More-- ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 194 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.7.200 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.7.200 443 interface FastEthernet0 443
ip nat inside source static udp 192.168.7.200 443 interface FastEthernet0 443
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 96.246.158.0 0.0.0.255 any
access-list 110 permit ip any host 96.246.158.15
access-list 132 permit ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 194 deny ip 192.168.7.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 194 permit ip 192.168.7.0 0.0.0.255 any
access-list 199 permit ip host 192.168.7.197 192.168.9.0 0.0.0.255
access-list 199 permit ip host 192.168.7.197 192.168.6.0 0.0.0.255
access-list 199 permit ip host 192.168.7.97 192.168.11.0 0.0.0.255
access-list 199 permit ip host 192.168.7.197 192.168.201.0 0.0.0.255
access-list 199 permit ip host 192.168.7.197 192.168.12.0 0.0.0.255
no cdp run
!
!
!
route-map clear-df permit 10
match ip address 199
set ip df 0
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
--More-- already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
--More-- exec-timeout 0 0
privilege level 15
transport input telnet ssh
line vty 5 7
privilege level 15
transport input telnet ssh
line vty 8 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway gateway_1
ip address x.x.x.x port 8443
http-redirect port 80
ssl trustpoint TP-self-signed-4273367397
inservice
!
webvpn context RemoteSSL
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
--More-- !
!
policy group policy_1
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
inservice
!
end
07-18-2013 09:17 AM
Hi,
Looks like your exchange server is in Vlan1. Try this ACL (during maintenance window)..
---------------------------------------------------------------------
!
access-list 102 permit tcp host 192.168.7.200 any eq smtp
access-list 102 deny tcp any any eq smtp
access-list 102 permit ip any any
!
int vla1
ip access-group 102 in
!
This will let 192.168.7.200 allow to make any port 25 (SMTP) connections to outside, while deny from rest of the IPs. As you want rest of the traffic to go, you need 'ip any any' at the end.
---------------------------------------------------------------------------------------------------
hth
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide