Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5471
Views
0
Helpful
3
Replies

Restricting SMTP inbound traffic

sbrown6079
Level 1
Level 1

‎03-17-2012 03:00 PM - edited ‎03-04-2019 03:42 PM

I use a mail filtering service that delivers mail to me via SMTP on standard port 25 on one of my 5 static external IP's. I wish to restrict this to their IP's only (they have two) and I am unsure on how to do so? As it stands now, anything on the net can talk to my mailserver and my logs are filling quickly with failed attempts as a result. Here's my setup and what I am trying to accomplish:

mail filtering service -> my public ip:25 -> internal mailserver at 10.0.10.2:25, deny everything inbound except traffic from the mail filtering service

I am thinking an ACL would fit the bill here, but unsure of how to implement.

Router is an 1811 with version 15.1(4)M3 IOS. WAN is on fa0, lan is on fa1.

Labels:
0 Helpful
3 Replies 3

Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3

‎03-17-2012 03:18 PM

Hi Stephen,

Please correct me if I misunderstood your setup.

You want to permit only the mail service traffic from your outside (WAN) interface of your 1811 router to your inside (LAN) interface.

In this case you can create the next extended access-list

ip access list extended filter                         ->the name of the access-list

permit tcp host "public IP" host 10.0.10.2 eq 25 -> you allow only  the smtp traffic from public IP to 10.0.10.2

deny ip any any

Then you have to apply this access-list to the WAN interface

interface fa0

ip access-group filter in

Hope that helps

Vasilis

0 Helpful

sbrown6079
Level 1
Level 1
In response to Vasileios Bouloukos MSc, ITIL, CCIE

‎03-17-2012 05:19 PM

That makes sense to me, but does not appear to be working. This is what I ended up with for the ACL:

Extended IP access list smtp

    10 permit tcp host 207.210.234.37 host 10.0.10.2 eq smtp

    20 permit tcp host 207.200.28.37 host 10.0.10.2 eq smtp

    30 deny ip any any (1234 matches)

The 207.210.234.37 and 207.200.28.37 are the IP's of the mail filtering service. As a test I logged into another remote server and was able to telnet to port 25, I expected it to be denied? I also applied the ACL to fa0 inbound:

Inbound  access list is SMTP

And the only other thing I'll mention is that I have a static NAT entry for this as well (for inbound traffic):

ip nat inside source static tcp 10.0.10.2 25 my.public.ip 25 extendable

0 Helpful

Vasileios Bouloukos MSc, ITIL, CCIE
Level 3
Level 3
In response to sbrown6079

‎03-18-2012 01:55 AM

You can easily find the traffic that is denied in order to modify then you Access-list

remove the entry 30 and add the next

conf t

ip access-list extended smtp

no 30

and add the next command

100 deny ip any any log   -> 100 is the sequence number in you access-list ...should be the last entry

Then check the logs ( show logging) and you can easily find the steams that should be permited but are denied in your access-list.

Then modify your access-list according to this info.

PS: maybe you need to permit the next entries too

15 permit tcp host 207.210.234.37 eq smtp host 10.0.10.2

25 permit tcp host 207.200.28.37 eq smtp host 10.0.10.2

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card