debug command - virus sending traffic on port 25

andypearce33 · ‎06-15-2009

Hi,

We have a possible virus on the network sending out traffic via port 25. I put the below access-list on ther router only allow traffic from the exchange server to send out traffic via port 25.

access-list 150 permit tcp host 192.168.0.2 any eq smtp

access-list 150 deny tcp any any eq smtp

access-list 150 permit ip any any

sh ip access-lists 150

Extended IP access list 150

10 permit tcp host 192.168.0.2 any eq smtp (1010 matches)

20 deny tcp any any eq smtp (1225 matches)

30 permit ip any any (1523 matches)

As soon as I view the access list I can see the this working. I would like to do is run a debug comand to find out what source IP address is being blocked by the rouuter. CAn anyone advise the best debug command I should use. we have Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(4)T4.

Please help??

Thanks in advance?

bmcginn · ‎06-15-2009

Hi there,

You probably don't need to do a full debug on it.

You can try the following:

access-list 150 permit tcp host 192.168.0.2 any eq smtp

access-list 150 deny tcp any any eq smtp log

access-list 150 permit ip any any

the log option at the end of the 2nd line will log the 'deny' to the buffer. Assuming you have set up logging to go to the buffer.

Just in case you don't:

logging buffered 10240 informational

That should send all entries that hit the deny entry in the ACL to the buffer, which you can view with the 'show log' command.

I hope I haven't missed anything..

good luck!

Brad