Hi,
I am trying to configure a SR-520 router with IOS 12.4T, to block port 25 traffic from all the internal IPs except three.
I could do it using ACL, as follows:
access-list 107 permit tcp host 192.168.10.91 any eq smtp
access-list 107 permit tcp host 192.168.10.11 any eq smtp
access-list 107 permit tcp host 192.168.10.191 any eq smtp
access-list 107 deny tcp any any eq smtp log
access-list 107 permit ip any any
interface BVI75
ip access-group 107 in
However, this router uses ZFW and I believe that it is possible to use it for this purpose, but I don't know how.
I tried to enable Layer-4 inspection using:
ip access-list extended SMTP-ACL
permit tcp host 192.168.10.91 any
permit tcp host 192.168.10.11 any
permit tcp host 192.168.10.191 any
deny tcp any any
class-map type inspect match-all SMTP-traffic
match protocol smtp
match access-group name SMTP-ACL
policy-map type inspect sdm-inspect
class type inspect SMTP-traffic
inspect
Where:
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
interface BVI75
description $FW_INSIDE$
zone-member security in-zone
interface FastEthernet4
description $FW_OUTSIDE$
zone-member security out-zone
But, it doesn't work. All the internal NICs are allowed to send traffic on port 25.
To test this, I use telnet on port 25 to an Internet host.
Can anyone tell me what is wrong in my second configuration, and what is the correct way to block the smtp traffic using ZFW?
Thank you very much.