ACL on Serial 0/0.1 Incoming

[alexleon]

Hello everyone, need some help with the following ACL. I am trying to prevent certain networks from entering the network due to spam. I assigned the ACL 101 to my incoming serial and I still see network traffic passing the router into my network. What am I doing wrong????

Thanks in advance for anyone's help....

----------------------------------------------------
interface Serial0/0.1 point-to-point
ip access-group 101 in
!
access-list 101 remark Flowgo and Smilepop
access-list 101 deny tcp 12.129.0.0 0.0.255.255 any
access-list 101 deny tcp 69.6.0.0 0.0.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 permit ip any any
-----------------------------------------------------

 

[Saeed42]

instead of blocking only TCP why don't you block IP from those networks, if your email comes from your ISP best thing to do is only to allow SMTP from your ISP's mail servers, and block everything else accept established sessions that is if you don't have any other services (i.e. http/https/SSH). I would also make sure the server is setup properly so it doesn't allow SPAM in the first place.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[alexleon]

Saeed42, thanks for responding to my post. I have a perimeter router which is normally used to weed out unwanted traffic from ever coming any further than my perimeter router. I have a firewall and mail filtering software behind this peremeter router that does the job of eliminating spammers in the most part but I hate seeing smilepop.com along with flowgo.com entering the network and taking up firewall resources. I have the sites blacklisted along with other very popular spammers but somehow I cannot get the Cisco router to stop this traffic at the serial incoming.

Here's my list...can you tell me what is worng?

access-list 101 remark Mail Server
access-list 101 permit tcp any host 216.X.X.a eq smtp
access-list 101 remark Mail Server2
access-list 101 permit tcp any host 216.X.X.b eq smtp
access-list 101 remark DNS Restrictions
access-list 101 permit tcp any host 216.X.X.a eq domain
access-list 101 permit tcp any host 216.X.X.b eq domain
access-list 101 permit udp any host 216.X.X.a eq domain
access-list 101 permit udp any host 216.X.X.b eq domain
access-list 101 remark Allow ntp to time server
access-list 101 permit udp any eq ntp host 216.X.X.a eq ntp
access-list 101 remark Prevent spoofing. Deny incoming packets that have with internal address
access-list 101 deny ip 216.X.X.0 0.0.0.24 any log
access-list 101 remark More spoofing prevention. Insert ip address of external router interface ip address
access-list 101 deny ip host 216.X.X.X any log
access-list 101 remark Deny packets with localhost, broadcast and multicast addresses
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 255.0.0.0 0.255.255.255 any log
access-list 101 remark Flowgo and Smilepop
access-list 101 deny ip 12.129.0.0 0.0.255.255 any
access-list 101 deny ip 69.6.0.0 0.0.255.255 any
access-list 101 permit ip 69.60.0.0 0.0.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 permit ip any any

 

[Saeed42]

The order of the access list is crucial as once a match is found is acted upon and no further action is taken, so if you have permit any host xx.xxx.xxx.xxx eq 25 and then deny host xx.xx.xx.xx host xxx.xxx.xx.xxx eq 25 this will never get to the deny statement as the permit any would allow any port 25 traffic through.

If you look at your access list "access-list 101 remark Mail Server
access-list 101 permit tcp any host 216.X.X.a eq smtp" you will notice that this will allow all port SMTP traffic through which means the deny rules for SMTP will never be read


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't be content with being average. Average is as close to the bottom as it is to the top
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[alexleon]

Saeed42, the ACL order did the trick.

Thanks a million...