Restrict Outbound Port 25 to one IP only

conrad2467 · ‎10-19-2011

Hi,

I want to restrict outgoing smtp traffic to our mail server only.

Mail server: 192.168.1.13

Router: Cisco 857W

I have implemented the following access-list but other pc's can still telnet to mail servers via port 25. Where have i gone wrong?

RouterID#show access-list
Extended IP access list 100
    10 permit tcp host 192.168.1.13 any eq smtp
    20 deny tcp 192.168.1.0 0.0.0.255 any eq smtp log
    30 permit ip 192.168.1.0 0.0.0.255 any
Extended IP access list NAT
    10 permit ip any any

RouterID#

Thanks

Julio Carvajal · ‎10-19-2011

Hello Conrad,

With this configuration you should be able to access SMTP servers just from 192.168.1.13, if you

do a show access-list 100, how many hits do you see on line 2???

Can we see the access-group??

I will be waiting your answer,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

conrad2467 · ‎10-19-2011

Julio,

I get the following if i do a show access-list 100. Im not sure what you mean by "how many hits..."

Extended IP access list 100
    10 permit tcp host 192.168.1.13 any eq smtp
    20 deny tcp 192.168.1.0 0.0.0.255 any eq smtp log
    30 permit ip 192.168.1.0 0.0.0.255 any

cadet alain · ‎10-20-2011

Hi,

you should do this:

access-list 100 permit tcp any host 192.168.1.13 eq smtp

access-list 100 deny tcp any any eq smtp

access-list 100 permit ip any 192.168.1.0 0.0.0.255

then apply this ACL inbound on the inside interface

Note: sh access-list will give inparentheses the number of packets that matched this ACL, these are hits but you've got none here because your ACL is incorrect and maybe not applied in the good direction on the interface.

Regards.

Alain.

Don't forget to rate helpful posts.

conrad2467 · ‎10-20-2011

Alain,

I have created the ACL as per your instruction. I have then applied the ACL to the BVI1 interface as follows.

RouterID(config)#interface BVI1
RouterID(config-if)#ip access-group 100 in

The instance i apply this acl, I lose connection to internet completely. Any ideas why this could be the case?

Thanks

cadet alain · ‎10-20-2011

Hi,

yep sorry then in this case do this:

ip access-list 100

no 30

30 permit ip any any

I'm sorry I didn't know to what interface you were going to bind it

Regards.

Alain.

Don't forget to rate helpful posts.

iazazkhan · ‎10-20-2011

Instead of this access-list 100 permit ip any 192.168.1.0 0.0.0.255 use this

access-list 100 permit ip 192.168.1.0 0.0.0.255 any apart from that the solution provided by the guy is ok

Sent from Cisco Technical Support iPhone App

conrad2467 · ‎10-20-2011

Everybody is in this discussion is partially correct. The final access-list which works is

access-list 100 permit tcp host 192.168.1.13 any eq smtp

access-list 100 deny tcp any any eq smtp

access-list 100 permit ip any any

then on the BVI1 interface

ip access-group 100 in

So Cadet Alain, your first line needed to have the any part after the IP. Otherwise nothing could sent out tcp traffic via smtp. Iazaz and Cadet, both your suggestions work fine for the third line.

Thanks everybody for their help. Glad to have knocked this one on the head. Can breath a bit easier about the possibility of being blacklisted again.

cadet alain · ‎10-21-2011

Hi Conrad,

I want to restrict outgoing smtp traffic to our mail server only.

You're right I had not well read your need, I thought it was only permitting incoming smtp traffic to this host BUT it was outgoing you needed so my ACL was not correct indeed

Happy you solved it though.

Regards.

Alain.

Don't forget to rate helpful posts.