Need to allow only smtp traffic from one IP

We use an outside company to filter all of our e-mail before it hits our mail server.  I need to configure my PIX firewall to only accept port 25 traffic from ip address 64.18.0.0 Mask 255.255.240.0.  
My current Access list is access-list 101 permit tcp any host 63.167.210.120 eq smtp.  63.167.210.120 being my mail server.  The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

I am assuming the access list should look like this:

access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp

When I am in config mode, i have typed no access-list 101 permit tcp any host 63.167.210.120 eq smtp (this removes the line fine)
but when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Thanks
LVL 1
chadd25Asked:
Who is Participating?
 
Pete LongConnect With a Mentor Technical ConsultantCommented:
or

access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
 
Pete LongTechnical ConsultantCommented:
try


access-list 101 permit tcp host 64.18.0.0 0.0.240.255 63.167.210.120 eq smtp
0
 
happythedogCommented:
access-list 101 permit tcp host 64.18.0.0 255.255.240.0 0.0.0.0 63.167.210.120 0.0.0.0 eq smtp is how it should read
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
netspec01Connect With a Mentor Commented:
>The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.

Your senders MUST use MX records.  The only scenario I can think of where this may not be appropriate might be a dedicated application that has a hard-coded ip address.  Your revised access looks good.  We are using Positini and have our MX records pointed at them.  We have more than 1000 email recipients.  Positini has been absolutely wonderful.

Do you know eho your senders are?  If so, we could bring them into this discussion thread.
0
 
chadd25Author Commented:
Thanks guys.  We are using Postini.  Accepted answer took in the PIX.  Working properly now.
0
 
lrmooreCommented:
>when  try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out.  Is there something wrong with my syntax??
Yes, your syntax is wrong.

Don't use keyword "host" when referencing a subnet
>access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp
                                       ^^^

As Pete correctly suggested, the correct syntax is:
   access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
0
 
lrmooreCommented:
Dang... a minute late and a dollar short....

<8-}

- Cheers!
0
 
chadd25Author Commented:
Thanks anyway lrmoore!!  I now understand the command due to your comment.  Since I am accepting from a range of IP's, HOST is not needed since I am not accepting from only one IP.
0
 
Pete LongTechnical ConsultantCommented:
ThanQ
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.