Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
853
Views
0
Helpful
2
Replies

Blocking outbound smtp traffic

gbronline
Level 1
Level 1

‎03-29-2004 03:00 PM - edited ‎03-09-2019 06:54 AM

Newbie here trying to implement simple acl. I want to block spam originating from our network. Say my network is 99.99.99.0/24 and my email sever is 99.99.99.10. I want all my users to use this server as their only smtp server (basically preventing others to run their own smtp server). How do i achieve this? I guess i am confused on what interface i apply the acl and in what direction (most probably out direction).

My Network : 99.99.99.0/24

Mail server: 99.99.99.10

Router config

Int f0/0

ip address 99.99.99.1 255.255.255.0

....

..

Int s1/0 (connected our upstream provider)

ip address 13.126.218.214 255.255.255.252

ip route 0.0.0.0 0.0.0.0 s1/0

ip access-list extended trafficcop

permit tcp any host 99.99.99.10 eq smtp

dency tcp any 99.99.99.0 0.0.0.255 eq smtp

My question is will the access-list above solve my problem? And where do i apply this access list.

will it be on f0/0 - "ip access-group trafficcop out"

Thanks for the input.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎03-29-2004 03:57 PM

Keep in mind there's always an implicit "deny everything" at the end of an ACL, so your ACL will permit SMTP from 99.99.99.10 and BLOCK EVERYTHING ELSE, not just other SMTP traffic, probably not what you want.

also, it's usually best to apply an ACL as incoming on an interface, since the router then doesn't have to process it only to find it has to drop it as it goes out the other interface, just wastes CPU cycles.

So, having said that, what you want is something like the following:

access-list 100 permit tcp host 99.99.99.10 any eq smtp

access-list 100 deny tcp any any eq smtp

access-list 100 permit ip any any

int fa0/0

   ip access-group 100 in

0 Helpful

gbronline
Level 1
Level 1
In response to gfullage

‎03-29-2004 04:58 PM

Thanks for the input. Being an ISP can i use "access-list 100 deny tcp any any eq smtp" or do i need to specify my range of IP address ie "access-list 100 deny tcp any 99.99.99.0 0.0.0.255 eq smtp".

The router is currently configured as:

IP access-list extended trafficcop

deny tcp any any eq 137

deny tcp any any eq 138

deny tcp any any eq 139

deny udp any any eq netbios-ns

deny udp any any eq netbios-dgm

deny udp any any eq netbios-ss

deny udp any any eq 135

deny tcp any any eq 135

deny tcp any any eq 445

deny udp any any eq 445

permit tcp any host 99.99.99.10 eq smtp

deny tcp any 99.99.99.0 0.0.0.255 eq smtp

permit ip any any

Int fa0/0

ip access-group trafficcop in

ip access-group trafficcop out

I don't think the current access-list will prevent someone in the network (99.99.99.0/24) to run the smtp server and send spam out of that.

Also one more question.. how should the access-list on some other POP be (where there is no mail server - as far as blocking outbound port 25 is concerned)

Should it just be

access-list 111 deny tcp any any eq smtp

permit ip any any

or it should again be

access-list 111 permit tcp host 99.99.99.10 any eq smtp

access-list 111 deny tcp any any eq smtp

permit ip any any

int fa0/0

ip access-group 111 in

Thanks for listening to this newbie.

0 Helpful
Customers Also Viewed These Support Documents