Cisco 1700 and Relaying Spam

[CliveM]

Hi Guys
Just taken on a newcustomer with a hugh relay problem.
His system has been open for so long all the spammers must know about him.
I need to block the SMTP port at the router (cisco1700) but I am new to Cisco routers. Can this be done with Reflective access lists ? Would this system then not allow me to access the clients with PCAnywhere or similar program?.
The IPs used are on the Lan are public.
The Exchange Server 5.5 is being fronted by Mail Essentials 5 which is blocking the mail from going out again but at a cost to my bandwidth and processor time and memory.

 

[ChrisAC]

Firstly, he shouldn't be using real IP's on his LAN. He should be using a private range and then doing NAT on either a proxy server, firewall or router. Basic security!!

Secondly, the prevention of spam should be done on the mail server and not the router. If you blocked traffic on port 25 then they wouldn't be able to receive e-mail, unless they were collecting it from a POP box! The mail server should be able to accept incoming mail and make a decision based on the rcpt address!

If they are being spammed then find out where these mails are coming from and report it to the relevent ISP.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[CliveM]

THks Chris
I am collecting from POP boxes.
As I said just started on this client yesterday. Glad you have confirmed my initial thoughts about the IP addresses.
I was looking for a tempory quick fix until I can finish analysis on the system and deciding on a firewall etc.
When I have used private IPs on simpler routers such as Zyxel 153 I can only forward a port to ONE internal IP at a time so if I need to look at all clients from the internet via PCAnywhere I have a problem ----how to get arround that.
Sorry to get of subject!

 

[ChrisAC]

I guess that it all depends on how many PC's you want remote access to and why! To open all clients up to remote access opens up massive security holes. We only ever open up the firewall to remote access and we do this using VNC. It free, easy to use and really quick for remote access (over leased lines anyway!).

The network clients shouldn't be accessible from the outside really. You would have to map live IP's to private IP's for each client, which would be a huge waste of IP addresses, compromise security and be a pain in the arse to set up.

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************

 

[CliveM]

I agree on the last part.
VPN is the way to go.
There are about 20 clients and they have been accessing from outside for along time. I can't change everything in one day.
Anyway back to the router. Can I close all the ports except the PCAnywhere ports on the Cisco 1700. I hav'nt even got to the config of the router as it at the moment under control of the ISP.
Thks
Chris

 

[ChrisAC]

Hold on a second ... remote clients!! What are they connecting into??? So, do you want to be able to access each internal client on the network or have remote clients access a particilar server?

Like you said, for the remote clients you really could do with VPN clients and a VPN server on the main site.

So, with regard to the router config, yes, you could block all ports except the incoming PC Anywhere/VPN (whatever). You would put a rule inbound on the outside interface that allows the ports that you want to allow (permit tcp that_address this_address eq port_number) and deny everything else (deny ip any any).

Chris.
************************
Chris Andrew, CCNA
chrisac@gmx.co.uk
************************