HELP - Exchange & Cisco 1700 Lockdown from SPAM

I think you are asking how to ACL off SMTP from everywhere except the IP-range of your 3rd party provider. You would do this by creating an access-list on the router that allows SMTP (port 25) from your SPAM filter and nothing else. I would need more information on how exactly this spam filter works (is your email domain pointed/owned by their servers and whatever passes the filter is sent on to your specific mail server, or is something else going on). But here is an example of an ACL:

access-list 101 permit tcp any host a.b.c.d eq smtp access-list 101 deny tcp any any eq smtp

You would then apply that ACL to your external interface on your router:

int ip access-group 101 in

Again, I would strong discourage doing anything until you have a complete understanding of the flow of traffic (in this case mail) with your 3rd party provider. The last thing you want is an email outage......

Thank you very much for your input... here the flow of traffic and additional information you requested: Our DNS records (through GoDaddy) point/redirect the mail to their servers where it is checked for SPAM and then their (spamsoap) server's send the mail on top our IP Address/mail server. Spamsoap has provided a block of IP addresses to allow within the router. I need to set these up because spammers are bypassing the scanner and mailing directing to our mail server. I'm pretty sure that what you are saying is what I need, I'm just not sure how to go about setting it up within the 1700. Thank you again for your help, Mickie

Then you will do exactly what i outlined above. If its a contiguous address space, you'll have one allow statement with the network address/range of their servers. If not, then you'll have to add in several allow statements. Follow it up with one deny any any eq smtp, and finally a permit ip any any at the end (else the explicit deny on the end will kill all traffic which you certainly don't want). This should clear it up. Here is an example:

If their addresses are 1.1.1.0 - 1.1.1.63 and your mail server is

access-list 101 permit tcp 1.1.1.0 255.255.255.192 host 2.2.2.2 eq smtp access-list 101 deny tcp any host 2.2.2.2 eq smtp access-list 101 permit ip any any

interface ip access-group 101 in

May want to get one other person on here to review that and make sure I didn't miss something. Statement one allows traffic from their range to your server. Statement two blocks any host from sending smtp traffic to your server (may want to do any any instead if you want SMTP blocked to everything else). Statement three allows everything else so that the implicit deny doesn't kill everything else.

The last will apply the ACL inbound on your outbound interface, blocking it as the traffic comes into your network.

Thanks for getting back to me about this, I am trying what you have outlined and I am getting an error when I try to type in "access-list" My Cisco is telling me that it is an invaild place holder/marker.

Please let me know what I should....thanks, Mickie

You are typing 'config t' first right? The access-list command should be available on any IOS router, so if this still isn't working, do a '?' at the config prompt and paste me what the output.

That was it! I knew I was forgetting something! Thanks for your help I got it going now! Take care, Mickie

Have you verified if its working as you desired yet? Glad you are up and running.

Yes, it's been working smoothly now for about tw o days. Thanks again for all your help! Mickie