Question

Locked

Edit Cisco ACL via Telnet?

By cypher.msix ·
Having never done this before, I'm at a bit of a loss. I can login via telnet to our Cisco router (1721), enable it.. and look around at the access lists, but I can't seem to figure out how to do what I need to do.

I need to basically block all traffic on port 25 (smtp) unless it comes from our exchange server (lets say it's 192.168.1.112). I don't know any cisco commands really.. and sort of understand the different modes (sort of), but beyond that I don't know how to simply add in a few lines. What I have to do is this:

"First you need to create an access list describing the traffic (x.x.x.x is the ip address of the mail server)

access-list acl_out permit tcp host x.x.x.x any eq 25
access-list acl_out deny tcp any any eq 25
access-list acl_out permit ip any any

Then you need to apply that access-list to the inside interface(because it is being checked on the inside before it goes out)

access-group acl_out in interface inside"

How do I do that??

This conversation is currently closed to new comments.

26 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next
Thread display: Collapse - | Expand +

All Answers

Collapse -

Mail Server

by cypher.msix In reply to A Question

NetMan,

The mail server is our Exchange Server that all of our company computers use to send and receive e-mail. So to answer your question, yes it will need to receive e-mail as well.

Just to clarify, I'm assuming that the client machines send e-mail -through- the mail server, and not directly from the clients themselves (that just doesn't make any sense to me).

Collapse -

Configuration

by NetMan1958 In reply to Mail Server

In that case, to be sure I don't tell you something that would have unintended consequences, could you post the output of the "show run" command from your router? You can mask any usernames/passwords/Public IP addresses with asterisks. Then I will post the necessary changes.

Collapse -

show run output

by cypher.msix In reply to Configuration

Thanks for the help, NetMan. Appreciate it. :)

RouterSR#show run
Building configuration...

Current configuration : 4455 bytes
!
! No configuration change since last restart
!
version 12.2
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname RouterSR
!
boot system flash c1700-k9o3sy7-mz.122-11.T8.bin
aaa new-model
!
!
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 [secret]
enable password [password]
!
username [login] password 0 [password]
username [login] privilege 15 password 0 [password]
clock timezone PST -8
clock summer-time PST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 3
authentication pre-share
group 2
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group [group]
key [password]
wins 192.168.1.112
pool ippool
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 64.00.00.00 255.255.255.248
ip nat outside
ip route-cache flow
half-duplex
crypto map clientmap
!
interface FastEthernet0
ip address 192.168.2.1 255.255.255.0 secondary
ip address 192.168.1.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip route-cache flow
speed auto
full-duplex
!
interface Serial0
ip address 192.168.3.20 255.255.255.0
ip nat inside
encapsulation ppp
ip route-cache flow
fair-queue
service-module t1 clock source internal
service-module t1 timeslots 1-24
!
router rip
network 192.168.1.0
network 192.168.2.0
!
ip local pool ippool 192.168.5.1 192.168.5.254
ip nat pool ovrld 64.00.00.00 64.00.00.00 prefix-length 24
ip nat inside source list 117 pool ovrld overload
ip nat inside source static tcp 192.168.1.6 80 64.00.00.00 80 extendable
ip nat inside source static tcp 192.168.1.9 8234 64.00.00.00 8234 extendable
ip nat inside source static tcp 192.168.1.112 443 64.00.00.00 443 extendable
ip nat inside source static tcp 192.168.1.112 25 64.00.00.00 25 extendable
ip nat inside source static tcp 192.168.1.112 143 64.00.00.00 143 extendable
ip nat inside source static tcp 192.168.1.110 21 64.00.00.00 21 extendable
ip nat inside source static tcp 192.168.1.251 1024 64.00.00.00 1024 extendable
ip nat inside source static tcp 192.168.1.106 1800 64.00.00.00 1800 extendable
ip nat inside source static tcp 192.168.1.7 5900 64.00.00.00 5900 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 64.00.00.89
ip http server
!
!
ip access-list extended addr-pool
ip access-list extended archive
ip access-list extended configure
ip access-list extended console
ip access-list extended dns-servers
ip access-list extended exec
ip access-list extended idletime
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended level
ip access-list extended protocol
ip access-list extended service
ip access-list extended timeout
ip access-list extended tunnel-password
ip access-list extended wins-servers
!
logging trap debugging
logging 192.168.1.107
access-list 101 permit tcp any any eq www log
access-list 101 permit ip any any
access-list 102 permit tcp host 192.168.1.112 any eq smtp
access-list 102 deny tcp any any eq smtp
access-list 102 permit ip any any
access-list 115 deny tcp any any eq 5050
access-list 115 deny tcp any any eq 1863
access-list 115 deny tcp any any eq 5190
access-list 115 deny tcp any any eq 7000
access-list 115 deny tcp any any eq 6660
access-list 117 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 117 permit ip 192.168.1.0 0.0.0.255 any
access-list 117 permit ip 192.168.2.0 0.0.0.255 any
access-list 117 permit ip 192.168.3.0 0.0.0.255 any
!
snmp-server community P1ub2lic RO
snmp-server enable traps tty
radius-server host 192.168.1.112 auth-port 1645 acct-port 1646 key [password]
radius-server host 192.168.1.110 auth-port 1645 acct-port 1646 key [password]
radius-server retransmit 3
radius-server authorization permit missing Service-Type
!
line con 0
line aux 0
line vty 0 4
password [password]
line vty 5 6
!
ntp authenticate
ntp clock-period 17179980
ntp server 209.81.9.7
end

Collapse -

A Test

by NetMan1958 In reply to show run output

Let's try a little test to make sure I'm on the right track.
Open a command prompt on your email server and enter the following:
telnet 209.1**.118.103 25
[ENTER]
If it connects you will see this:
220 mta505.mail.mud.yahoo.com ESMTP YSmtp service ready
If it doesn't connect you will see an error message.
If it doesn't connect, login to your router and type the same command i.e.
telnet 209.1**.118.103 25
[ENTER]
and let me know the results of both tests.

Thanks,
Netman

Collapse -

Results

by cypher.msix In reply to A Test

NetMan

I was able to successfully telnet to that ip from the command prompt, and decided to try it out through the router just in case it might be important to know. Here were the results:

RouterSR>telnet 209.1**.118.103 25
Trying 209.1**.118.103, 25 ... Open

[Connection to 209.1**.118.103 closed by foreign host]
RouterSR>

Collapse -

RE: Results

by NetMan1958 In reply to A Test

Results
NetMan

I was able to successfully telnet to that ip from the command prompt, and decided to try it out through the router just in case it might be important to know. Here were the results:

RouterSR>telnet 209.1**.118.103 25
Trying 209.1**.118.103, 25 ... Open

[Connection to 209.1**.118.103 closed by foreign host]
RouterSR>

OK, now we're getting somewhere. If you can telnet from your email server to another email server's port 25 and it answers, then the smtp traffic is passing through the router OK. Has this email server been working previously? If so, has anything been changed on the server or the Exchange config?
When you try to send email does it bounce or stack up in the queue on the server? If it bounces, can you post the error message?

We've got her on the run now!

Collapse -

re: Dumphrey

by cypher.msix In reply to Edit Cisco ACL via Telnet ...

Yes, our internal mail server uses port 25 to send mail. :)

When I entered in the commands, I actually used 25 as the port number.. when I looked it up with the show ip int e0 command, it popped up with the smtp replacement which I thought was cutely annoying. :-P

Collapse -

re: Results

by cypher.msix In reply to Edit Cisco ACL via Telnet ...

OK, now we're getting somewhere. If you can telnet from your email server to another email server's port 25 and it answers, then the smtp traffic is passing through the router OK. Has this email server been working previously? If so, has anything been changed on the server or the Exchange config?
When you try to send email does it bounce or stack up in the queue on the server? If it bounces, can you post the error message?

We've got her on the run now!

---------

NetMan,

You know, I looked at my monitors today and realized I have twelve remote desktop sessions open.. and it got me to wondering if I ran those telnet commands from the right server. Turns out, I did not. I ran it from one of the clients :-/

In fact, it seems there is a problem trying to open a telnet session to the yahoo mail servers as shown below:

direct fromm mail server:

421 Message from (64.00.00.00) temporarily deferred - 4.16.50. Please refer to h
ttp://help.yahoo.com/help/us/mail/defer/defer-06.html


Connection to host lost.

U>

through router:

RouterSR>telnet 209.1**.118.103 25
Trying 209.1**.118.103, 25 ... Open
421 Message from (64.00.00.00) temporarily deferred - 4.16.50. Please refer to h
ttp://help.yahoo.com/help/us/mail/defer/defer-06.html

[Connection to 209.1**.118.103 closed by foreign host]
RouterSR>

To answer your questions and shed more light on the current situation, the mail server has been up and running for years before I came along. We're recently been running into a lot of spyware problems for various reasons, and have been blacklisted multiple times already. One of the things that I want to accomplish is to help prevent that from happening in the future is to prevent any client or server from sending traffic out to the internet through port 25, hopefully stopping a few naughty malware apps from e-mail itself (with the exception of the mail server, of course).

So, I wrote an ACL to handle that task (extended acl 102) and applied it to the outbound ethernet0 tunnel thing... whatever it's called... and unfortunately it seems that everything got blocked on port 25, even the mail server. As I can't have the entire office not able to send e-mail out, I had to remove the acl and that's where we're at right now.

When I did have the acl in effect, I noticed that while no e-mails would be sent, as soon as I re-booted the router (essentially refreshing the config to it's previous state) the e-mails I tried to send through finally went indicating that they were stacking up waiting to go through.

Thanks for all your help so far. It's beyond apreciated! :-)

Collapse -

We're getting closer

by NetMan1958 In reply to re: Results

OK, your answer confirmed what I was suspecting. This error message:
"421 Message from (64.00.00.00) temporarily deferred - 4.16.50. Please refer to h
ttp://help.yahoo.com/help/us/mail/defer/defer-06.html"
actually came from the yahoo server, so that confirms that the router is not blocking your SMTP traffic. That message indicates that your IP address(s) are being refused by yahoo (and probably others) due to an abuse policy.

First, let's take care of configuring your router to do what you want it to.
connect to your router and type the following:

conf t
interface FastEthernet0
no ip access-group 101 in
ip access-group 102 in

after you enter those commands press and hold the ctrl key and press the "Z" key.

Now type the following:
wr mem

Now run the telnet test again from the server:
telnet 209.1**.118.103 25
and you should get the same message you got before.

Then try the telnet test from another computer on the network and it shouldn't ever connect to the yahoo server.

Let me know the results and we will go from there.

Netman

Collapse -

That seemed to do the trick.

by cypher.msix In reply to We're getting closer

Applied the acl as you instructed and was able to get out from our mail server to the yahoo mail server. Trying to do the same from one of our clients resulted in a failed connection.

from the mail server:

421 Message from (64.00.00.00) temporarily deferred - 4.16.50. Please refer to h
ttp://help.yahoo.com/help/us/mail/defer/defer-06.html


Connection to host lost.

from the client:

U>telnet 209.1**.118.103 25
Connecting To 209.1**.118.103...Could not open connection to the host, on port 25: Connect failed

That's good news! So, I guess I ended up applying the ACL to the wrong thing.. so then which line does the T1 come in on? The Ethernet0 or the FastEthernet0? And why are we applying the ACL to the "in" rather than the "out"? Is it because "in" means going "coming from the inside going outside" rather than "coming inside from the outside"?

Granted, I've learned quite a bit about all this cisco router jargon, but it's still rather confusing. I think if I understood more about what the f0 and the e0 is and what the 'in' and 'out' on each of those meant, I would be in better shape for the future. :-)

Back to Networks Forum
26 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next

Related Discussions

Related Forums