07-09-2018 12:29 PM - edited 02-21-2020 07:57 AM
Dear All,
I have in place the following configuration where A.B.C.D is my WAN and A.B.C.E my gateway:
interface Vlan1
description *** LAN interface ***
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan20
ip address A.B.C.D 255.255.255.248
ip access-group LONHB_INFILTER in
ip access-group LONHB_OUTFILTER out
ip nat outside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 A.B.C.E
no ip http server
no ip http secure-server
!
!
ip nat inside source static tcp 192.168.10.5 25 interface Vlan20 25
ip nat inside source static tcp 192.168.10.5 143 interface Vlan20 143
ip nat inside source static udp 192.168.10.5 53 interface Vlan20 53
ip nat inside source static tcp 192.168.10.5 993 interface Vlan20 993
ip nat inside source static tcp 192.168.10.5 80 interface Vlan20 80
ip nat inside source static tcp 192.168.10.5 443 interface Vlan20 443
ip nat inside source static tcp 192.168.10.5 587 interface Vlan20 587
ip nat inside source static tcp 192.168.10.5 465 interface Vlan20 465
ip nat inside source static tcp 192.168.10.5 32400 interface Vlan20 32400
ip nat inside source static udp 192.168.10.5 500 interface Vlan20 500
ip nat inside source static udp 192.168.10.5 1701 interface Vlan20 1701
ip nat inside source static udp 192.168.10.5 4500 interface Vlan20 4500
ip nat inside source static tcp 192.168.10.5 1723 interface Vlan20 1723
ip nat inside source route-map rmapbypassnat interface Vlan20 overload
!
ip access-list extended LONHB_INFILTER
remark <<<<< Permit Web all to Web Server >>>>>
permit tcp any host A.B.C.D eq www
permit tcp any host A.B.C.D eq 443
remark <<<<< Permit any server to send DHCP replies >>>>>
permit udp any any eq bootpc
remark <<<<< Permit NTP to sync times >>>>>
permit udp any any eq ntp
remark <<<<< Permit SMTP all to Mail Server >>>>>
permit tcp any host A.B.C.D eq smtp
permit tcp any host A.B.C.D eq 465
permit tcp any host A.B.C.D eq 587
remark <<<<< Permit IMAP all to Mail Server >>>>>
permit tcp any host A.B.C.D eq 143
permit tcp any host A.B.C.D eq 993
remark <<<<< Allow DNS to query >>>>>
permit udp any host A.B.C.D eq domain
remark <<<<< Permit all to SSH to router >>>>>
permit tcp any host A.B.C.D eq 22
remark <<<<< Permit Plex Media Server >>>>>
permit tcp any host A.B.C.D eq 32400
remark <<<<< VPN Services >>>>>
permit udp any host A.B.C.D eq isakmp
permit udp any host A.B.C.D eq 1701
permit udp any host A.B.C.D eq non500-isakmp
permit tcp any host A.B.C.D eq 1723
remark <<<<< Permit administrative ping access >>>>>
permit icmp any any administratively-prohibited
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any unreachable
remark <<<<< Permit established traffic >>>>>
evaluate ESTABLISHED_TRAFFIC
deny ip host 88.26.204.91 host A.B.C.D
ip access-list extended LONHB_OUTFILTER
remark <<<<< ALL traffic must originate from LAN >>>>>
permit ip any any reflect ESTABLISHED_TRAFFIC timeout 300
!
access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
!
route-map rmapbypassnat permit 5
match ip address 105
The last entry on my ip access-list extended LONHB_INFILTER is
deny ip host 88.26.204.91 host A.B.C.D
where IP 88.26.204.91 constantly is trying to to get access to my mail server
SMTP log from my Server:
Jul 9 20:20:39 ***********.com postfix/smtpd[1093]: error: get user record: unable to open user record for user=josh
Jul 9 20:20:39 ***********.com postfix/smtpd[1093]: error: verify password: unable to lookup user record for: user=josh
Jul 9 20:20:39 ***********.com postfix/smtpd[1093]: error: authentication failed
Jul 9 20:20:39 ***********.com postfix/smtpd[1093]: warning: 91.red-88-26-204.staticip.rima-tde.net[88.26.204.91]: SASL Login authentication failed
how can I totally block the 88.26.204.91 IP from passing through to my Network?
Kind Regards,
George Govotsis
Solved! Go to Solution.
07-09-2018 03:44 PM
just add a deny ip host x.y.x.x to LONHB_INFILTER in make sure you add it on the very top of your ACL, call it like :"blacklist"
07-09-2018 03:44 PM
just add a deny ip host x.y.x.x to LONHB_INFILTER in make sure you add it on the very top of your ACL, call it like :"blacklist"
07-09-2018 09:19 PM
07-09-2018 09:53 PM
consider using an object group in your acl, rather than individual items, otherwise it will become a beast of a thing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide