Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
5
Helpful
3
Replies

Block specific Public IP Accessing My Network

Go to solution
ggovotsis
Level 1
Level 1

‎07-09-2018 12:29 PM - edited ‎02-21-2020 07:57 AM

Dear All,

 

I have in place the following configuration where A.B.C.D is my WAN and A.B.C.E my gateway:

 

interface Vlan1

 description *** LAN interface ***

 ip address 192.168.10.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Vlan20

 ip address A.B.C.D 255.255.255.248

 ip access-group LONHB_INFILTER in

 ip access-group LONHB_OUTFILTER out

 ip nat outside

 ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 A.B.C.E

no ip http server

no ip http secure-server

!

!

ip nat inside source static tcp 192.168.10.5 25 interface Vlan20 25

ip nat inside source static tcp 192.168.10.5 143 interface Vlan20 143

ip nat inside source static udp 192.168.10.5 53 interface Vlan20 53

ip nat inside source static tcp 192.168.10.5 993 interface Vlan20 993

ip nat inside source static tcp 192.168.10.5 80 interface Vlan20 80

ip nat inside source static tcp 192.168.10.5 443 interface Vlan20 443

ip nat inside source static tcp 192.168.10.5 587 interface Vlan20 587

ip nat inside source static tcp 192.168.10.5 465 interface Vlan20 465

ip nat inside source static tcp 192.168.10.5 32400 interface Vlan20 32400

ip nat inside source static udp 192.168.10.5 500 interface Vlan20 500

ip nat inside source static udp 192.168.10.5 1701 interface Vlan20 1701

ip nat inside source static udp 192.168.10.5 4500 interface Vlan20 4500

ip nat inside source static tcp 192.168.10.5 1723 interface Vlan20 1723

ip nat inside source route-map rmapbypassnat interface Vlan20 overload

!

ip access-list extended LONHB_INFILTER

 remark <<<<< Permit Web all to Web Server >>>>>

 permit tcp any host A.B.C.D eq www

 permit tcp any host A.B.C.D eq 443

 remark <<<<< Permit any server to send DHCP replies >>>>>

 permit udp any any eq bootpc

 remark <<<<< Permit NTP to sync times >>>>>

 permit udp any any eq ntp

 remark <<<<< Permit SMTP all to Mail Server >>>>>

 permit tcp any host A.B.C.D eq smtp

 permit tcp any host A.B.C.D eq 465

 permit tcp any host A.B.C.D eq 587

 remark <<<<< Permit IMAP all to Mail Server >>>>>

 permit tcp any host A.B.C.D eq 143

 permit tcp any host A.B.C.D eq 993

 remark <<<<< Allow DNS to query >>>>>

 permit udp any host A.B.C.D eq domain

 remark <<<<< Permit all to SSH to router >>>>>

 permit tcp any host A.B.C.D eq 22

 remark <<<<< Permit Plex Media Server >>>>>

 permit tcp any host A.B.C.D eq 32400

 remark <<<<< VPN Services >>>>>

 permit udp any host A.B.C.D eq isakmp

 permit udp any host A.B.C.D eq 1701

 permit udp any host A.B.C.D eq non500-isakmp

 permit tcp any host A.B.C.D eq 1723

 remark <<<<< Permit administrative ping access >>>>>

 permit icmp any any administratively-prohibited

 permit icmp any any echo

 permit icmp any any echo-reply

 permit icmp any any packet-too-big

 permit icmp any any time-exceeded

 permit icmp any any traceroute

 permit icmp any any unreachable

 remark <<<<< Permit established traffic >>>>>

 evaluate ESTABLISHED_TRAFFIC 

 deny   ip host 88.26.204.91 host A.B.C.D

ip access-list extended LONHB_OUTFILTER

 remark <<<<< ALL traffic must originate from LAN >>>>>

 permit ip any any reflect ESTABLISHED_TRAFFIC timeout 300

!         

access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 105 permit ip 192.168.10.0 0.0.0.255 any

!

!

!

!

route-map rmapbypassnat permit 5

 match ip address 105

 

The last entry on my ip access-list extended LONHB_INFILTER is

deny   ip host 88.26.204.91 host A.B.C.D

 

where IP 88.26.204.91 constantly is trying to to get access to my mail server

 

SMTP log from my Server:

 

Jul 9 20:20:39 ***********.com postfix/smtpd[1093]: error: get user record: unable to open user record for user=josh
Jul 9 20:20:39 ***********.com postfix/smtpd[1093]: error: verify password: unable to lookup user record for: user=josh
Jul 9 20:20:39 ***********.com postfix/smtpd[1093]: error: authentication failed
Jul 9 20:20:39 ***********.com postfix/smtpd[1093]: warning: 91.red-88-26-204.staticip.rima-tde.net[88.26.204.91]: SASL Login authentication failed

 

how can I totally block the 88.26.204.91 IP from passing through to my Network?

 

Kind Regards,

 

George Govotsis

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎07-09-2018 03:44 PM

just add a deny ip host x.y.x.x  to LONHB_INFILTER in  make sure you add it on the very top of your ACL, call it like :"blacklist"

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

3 Replies 3

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎07-09-2018 03:44 PM

just add a deny ip host x.y.x.x  to LONHB_INFILTER in  make sure you add it on the very top of your ACL, call it like :"blacklist"

Please remember to rate useful posts, by clicking on the stars below.

Go to solution
ggovotsis
Level 1
Level 1
In response to Dennis Mink

‎07-09-2018 09:19 PM

Dear Dennis, I would like to thank you for your reply. I didn't know that it had to be at the top of the ACL to take effect. With your input I created a huge blacklist and the traffic to our network has been reduced dramatically. Kind Regards, George Govotsis
0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni
In response to ggovotsis

‎07-09-2018 09:53 PM

consider using an object group in your acl, rather than individual items, otherwise it will become a beast of a thing

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card