Cisco – Block port with single exception on Cisco 803

aclciscorouter

This seems fairly straight forward, though I'm having trouble finding a solution on Google and in the Cisco documentation. I think I'm perhaps just not looking for the correct thing.

Essentially I want to block all outgoing SMTP traffic except for our mail server, currently only the DHCP range is blocked, but I wanted to narrow that down to just the mail server.

Current:

access-list 107 deny   tcp 10.1.3.0 0.0.0.255 any eq smtp
access-list 107 permit ip any any

I tried (but completely locked out all network connections and required a power cycle):

access-list 107 deny   tcp any any eq smtp
access-list 107 permit tcp host 10.1.1.20 any eq smtp

So, I wish to block SMTP outgoing for all hosts except 10.1.1.20, how can this be done? What am I missing?

Best Answer

Try this:

access-list 107 permit tcp host 10.1.1.20 any eq smtp
access-list 107 deny   tcp any any eq smtp
access-list 107 permit ip any any

Keep in mind, the order you insert a standard ACL in Cisco routers is the order in which the directives are matched.

So:

First allow your server 10.1.1.20 to connect to smtp port
Then disallow any other host to connect to smtp port
Finally, allow any other IP communication

Related Solutions

Router – NAT translation thestery

This doesn't really answer my question why did NAT always use the 80th port as source port for outgoing traffic, but at least I figured out how to fix the problem.

I created an access list to match traffic from the mail server and also created a pool of one public address for it.

ip access-list extended 109
 !!! Restrict NAT for branch office destinations
 deny ip host 192.168.7.7. 192.168.0.0 0.0.255.255
 permit ip host 192.168.7.7 any
ip nat pool MAIL 198.51.100.7 198.51.100.7 prefix-length 27
ip nat inside source list 109 pool MAIL

And...Voilà! It now preserves the source port number as it sends traffic. And our mail is no longer blocked by some external MTA mail servers.

Update:

So now I tried reverting back to:

ip nat source static 192.168.7.7 198.51.100.7 route-map Deny_On_VPN

And it actually started to translate addresses and ports as expected - one to one. I don't really understand what the deal was with it, maybe a bug? Hopefully it will keep running like this from now on. I guess, I'll have a look at IOS release notes

Cisco ASA 5505 stop passing traffic randomly

The issue has been resolved! I have tried to analyze non-working hosts ARP tables and found ASA's MAC address change. Decreased ASA's log verbosity to Warning level, rebooted it and got a message during boot

IP address collision detected between host 192.168.0.1 at f80f.4197.a18d and interface inside

So found host with the MAC noted. Despite it has different IP address and it is separate point to investigate, host's disconnection immediately resolves the issue.

Best Answer

Related Solutions

Router – NAT translation thestery

Update:

Cisco ASA 5505 stop passing traffic randomly

Related Topic