cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Block SMTP from in to out

226
Views
0
Helpful
0
Comments

Hi,

I am trying to configure a SR-520 router with IOS 12.4T, to block port 25 traffic from all the internal IPs except three.

I could do it using ACL, as follows:

access-list 107 permit tcp host 192.168.10.91 any eq smtp
access-list 107 permit tcp host 192.168.10.11 any eq smtp
access-list 107 permit tcp host 192.168.10.191 any eq smtp
access-list 107 deny   tcp any any eq smtp log
access-list 107 permit ip any any

interface BVI75
ip access-group 107 in

However, this router uses ZFW and I believe that it is possible to use it for this purpose, but I don't know how.

I tried to enable Layer-4 inspection using:

ip access-list extended SMTP-ACL
permit tcp host 192.168.10.91 any
permit tcp host 192.168.10.11 any
permit tcp host 192.168.10.191 any
deny tcp any any

class-map type inspect match-all SMTP-traffic
match protocol smtp
match access-group name SMTP-ACL

policy-map type inspect sdm-inspect
class type inspect SMTP-traffic
  inspect

Where:

zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect

interface BVI75
description $FW_INSIDE$
zone-member security in-zone

interface FastEthernet4
description $FW_OUTSIDE$
zone-member security out-zone

But, it doesn't work. All the internal NICs are allowed to send traffic on port 25.

To test this, I use telnet on port 25 to an Internet host.

Can anyone tell me what is wrong in my second configuration, and what is the correct way to block the smtp traffic using ZFW?

Thank you very much.