chadd25
asked on
Need to allow only smtp traffic from one IP
We use an outside company to filter all of our e-mail before it hits our mail server. I need to configure my PIX firewall to only accept port 25 traffic from ip address 64.18.0.0 Mask 255.255.240.0.
My current Access list is access-list 101 permit tcp any host 63.167.210.120 eq smtp. 63.167.210.120 being my mail server. The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.
I am assuming the access list should look like this:
access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp
When I am in config mode, i have typed no access-list 101 permit tcp any host 63.167.210.120 eq smtp (this removes the line fine)
but when try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out. Is there something wrong with my syntax??
Thanks
My current Access list is access-list 101 permit tcp any host 63.167.210.120 eq smtp. 63.167.210.120 being my mail server. The problem is, when senders do not follow mx rules and send directly to my mail server, the external filtering company is bypassed.
I am assuming the access list should look like this:
access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp
When I am in config mode, i have typed no access-list 101 permit tcp any host 63.167.210.120 eq smtp (this removes the line fine)
but when try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out. Is there something wrong with my syntax??
Thanks
access-list 101 permit tcp host 64.18.0.0 255.255.240.0 0.0.0.0 63.167.210.120 0.0.0.0 eq smtp is how it should read
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. We are using Postini. Accepted answer took in the PIX. Working properly now.
>when try to add access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp, it fails out. Is there something wrong with my syntax??
Yes, your syntax is wrong.
Don't use keyword "host" when referencing a subnet
>access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp
^^^
As Pete correctly suggested, the correct syntax is:
access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
Yes, your syntax is wrong.
Don't use keyword "host" when referencing a subnet
>access-list 101 permit tcp host 64.18.0.0 255.255.240.0 63.167.210.120 eq smtp
^^^
As Pete correctly suggested, the correct syntax is:
access-list 101 permit tcp 64.18.0.0 255.255.240.0 host 63.167.210.120 eq smtp
Dang... a minute late and a dollar short....
<8-}
- Cheers!
<8-}
- Cheers!
ASKER
Thanks anyway lrmoore!! I now understand the command due to your comment. Since I am accepting from a range of IP's, HOST is not needed since I am not accepting from only one IP.
ThanQ
access-list 101 permit tcp host 64.18.0.0 0.0.240.255 63.167.210.120 eq smtp