Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1666
Views
0
Helpful
7
Replies

IOS FW: how to block port 25?

Go to solution
cluovpemb
Level 1
Level 1

‎11-02-2012 07:01 PM - edited ‎03-11-2019 05:18 PM

Typing sucks on iPad, plz forgive for short sentences.

I want to block all internal LAN systems from sending to port 25 outbound to Internet, except the mail server which is on same LAN. 192.168.0.0/24. This is to prevent an unknown inside PC infected with a spambot from sending mail.

Have 891w isr, using zbfw. Outside int to internet is gig0, inside int to LAN is vlan1, just a bridge group combining switch ports fa 0-7

Vlan1=inside zone, gig0=outside zone
Two zone pairs, inside-outside and outside-inside

Inside-outside has permit ip any any from an ACL, no other match criteria. Policy map is set to inspect. Need to add the blocking to this zone pair, I assume to same ACL?

Outside-inside zone pair probably doesn't,t impact this but let me know if it does or should be mentioned here.

Thank you for your help.

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-02-2012 07:34 PM

Yes just modify the ACL called out on inside-outside to add a line preceding the permit any-any with one telling it to deny any-any eq 25.

You may need to modify it to be an extended ACL vs. the current type (likely standard)

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cluovpemb

‎11-02-2012 07:51 PM

Oh yes sorry - neglected to mention the legitimate mail server. The line for that needs to go first. access-list works on a first match basis - once a match is made, that ACL is not parsed further for a given flow.

And yes, there is an implicit "deny any". Some people like to make it explicit to see hits but since you are preceding it with a "permit any" it should never get a hit.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-02-2012 07:34 PM

Yes just modify the ACL called out on inside-outside to add a line preceding the permit any-any with one telling it to deny any-any eq 25.

You may need to modify it to be an extended ACL vs. the current type (likely standard)

0 Helpful

Go to solution
cluovpemb
Level 1
Level 1
In response to Marvin Rhoads

‎11-02-2012 07:46 PM

But to allow the mail server that,s on that same LAN, would it be something like:

Deny tcp any any eq 25
Permit top host 192.168.0.123 any eq 25
Permit ip any any

?
I should mention I am a bit new to zbfw so am not sure how the sequence of these lines work except there is an implicit deny-all for this inside-outside pair at the end of the ACL (I think)

Thank you again!

Oh also, yes it is an extended (named)ACL already.
Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cluovpemb

‎11-02-2012 07:51 PM

Oh yes sorry - neglected to mention the legitimate mail server. The line for that needs to go first. access-list works on a first match basis - once a match is made, that ACL is not parsed further for a given flow.

And yes, there is an implicit "deny any". Some people like to make it explicit to see hits but since you are preceding it with a "permit any" it should never get a hit.

0 Helpful

Go to solution
cluovpemb
Level 1
Level 1
In response to Marvin Rhoads

‎11-02-2012 08:39 PM

Ok I will give that a try then. Actually I,like to log what I can so I catch the offending infected spambot oc on my network but hits against deny all I guess won,t be the way, the explicit deny on 25 might be closer. I havn,t actually learned logging yet :). Still a newbie here. But I know in theory how it should help here hough. I,ll update the ACL now.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
cluovpemb
Level 1
Level 1
In response to Marvin Rhoads

‎11-02-2012 09:03 PM

Alright done. Here,s the ACL

Extended IP access list INSIDE-OUTSIDE
5 permit tcp host 192.168.0.123 any eq smtp
9 deny tcp any any eq smtp
10 permit ip any any (439 matches)

Used sh ip access-list for this output.

Using smtp instead of eq 25 should be ok I think?


This router won,t go live until new ISP switchover and DNS and MX record changes propagate in the next day, so will test this tomorrow. Will post results here. Thanks again!

0 Helpful

Go to solution
cluovpemb
Level 1
Level 1
In response to cluovpemb

‎11-05-2012 06:55 AM

Looks like all went well with the ISP switchover, except two things which I'll work on myself.  One, I can no longer RDP to the internal servers, yet if I modify the same NAT rules to point to a PC for example, that works.  From said PC, I can no longer RDP to the server.  It's a server issue, yet is extremely coincidental that after putting this router online this weekend, access to the server stops.  There are no update cycles or other, and it was rebooted with no effect. 

Anyway, also, I have to still figure out how to log what system is a spambot (via logging who hits port 25). 

0 Helpful

Go to solution
cluovpemb
Level 1
Level 1
In response to cluovpemb

‎11-13-2012 08:21 AM

Ok figured out how to log the offending system, and also the lack of remote abilkity to the server is the servers fault in some way, nothing to do with the router at all. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card