I have a PIX 515 firewall and want to add a line which only allows Inbound emails from a particular IP address range

If you want to accept inbound from a specific ip address, use line one; otherwise replace the permit with deny and the large Xs with any (just like line 2)
access-list outside_in permit tcp 168.143.177.28 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp host xxx.xxx.xxx.xxx any eq smtp
access-list outside_in deny tcp any any eq smtp

Disreagrd the text in the initial line; I copied it from part of another answer I gave a while ago.

In the access-list, you're doing the following:
line 1: allowing the SPAM checker to deliver mail inbound to a specific server
line 2: allowing that same specific server to deliver mail to port 25 anywhere
line 3: keeping out the trash; this line is important because spammers will try to hit your box directly, and it also wtops other compromised machines from sending on port 25: no rogue smtp servers allowed.

The order of the ACLs is important, and they should remain in the same oreder top to bottom.

Dear gpriceee

Are you saying that if I add the lines below in to my PIX firewall configuration, I will only be able to receive SMTP traffic from the 168.143.177.128 address.

access-list outside_in permit tcp 168.143.177.28 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp host xxx.xxx.xxx.xxx any eq smtp
access-list outside_in deny tcp any any eq smtp

What would I need to enter if there is a range of IP addresses from which I should be able to receive emails such as below.

168.143.177.128 - 168.143.177.191

217.69.20.128 - 217.69.20.191

both ranges have the same subnet mask but belong to two different clusters through which emails are sent from to us.

Really, the mask and address they gave you creates a subnet for 168.143.178.128 that has the first usable address of 168.143.179.128
168.143.178.191 would be the broadcast address, so what they REALLY are asking is for you to allow 168.143.178.129-168.143.178.190 into your network.  The range above--which should read 128 and not 28--only allows connections from within this specific subnet, which includes all of the addresses not just one.

The second range you submitted also falls within 255.255.255.192, so you also can add that.  Here's the new ACL:
access-list outside_in permit tcp 168.143.177.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp 217.69.20.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp host xxx.xxx.xxx.xxx any eq smtp
access-list outside_in deny tcp any any eq smtp

Dear gpriceee

I have the two lines below in my current configuration.

access-list 100 permit tcp any host xx.xx.xx.xx eq smtp
access-list 100 permit tcp any host xx.xx.xx.xx eq ident

I have replaced the static IP address to which emails are forward with the xx. Both lines have the same address.

The name of the managed anti-spam/anti-virus service is Black Spider.

What happens is that after scanning for spam or viruses, Black Spider forward all SMTP traffic to the static IP address given to us by our ISP. In our present configuration this is typed in the two lines listed above.

So what I do not understand is that if Black Spider are forwarding emails to the above address marked as xx.xx.xx.xx, why would we need to type in the IP address range given to us by Black Spider seeing as that the last address from which the router accepts SMTP traffic is the xx.xx.xx.xx one.

Please accept my apologiese for being an amateur here.

In the lines below, where you have put xxx.xxx.xxx.xxx, do I need to type anything in?


access-list outside_in permit tcp 168.143.177.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp 217.69.20.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp host xxx.xxx.xxx.xxx any eq smtp
access-list outside_in deny tcp any any eq smtp

Could you please let me know what exactly the lines in our current configuration below do.

access-list 100 permit tcp any host xx.xx.xx.xx eq smtp
access-list 100 permit tcp any host xx.xx.xx.xx eq ident

Please keep in mind that the xx.xx.xx.xx in both lines are the same ip address.

I look forward to your response.

Thank you.

"access-list 100 permit tcp any host xx.xx.xx.xx eq smtp"
allows the world to access that host at tcp port 25: this includes SPAMmers who send directly to your port.

"access-list 100 permit tcp any host xx.xx.xx.xx eq ident"
requires identification of the user attempting to access the server.  This command will create some performance issues on the pix and slow down your traffic.
http://www.cisco.com/warp/public/110/2.html

If you use the ACLs I gave you, you should have no problems with port 25 access.  In the ACLs, replace the xxx.xxx.xxx.xxx with the ip address of your server to which the SPAM scanner will forward your email.  The mask should be 255.255.255.255 (which is what the word "host" in the ACL means).

Really, if you want to copy the access-list and replace the name outside_in with the name of a current access-list and the xxx.xxx.xxx.xxx with the ip address of the target smtp server with the name of an access-list that has been applied to your outside interface and ensure that the ACLs are high in the list--noted by line when you enter sh access-l in config mode--you should be okay.

NOTE: if you choose to copy, edit, and paste, you should copy the ACLs into notepad, make your changes, and then paste from there.

Dear gpriceee,

If I go ahead and try out your suggested lines, does this mean I should remove the lines below from my current configuration

access-list 100 permit tcp any host xx.xx.xx.xx eq smtp
access-list 100 permit tcp any host xx.xx.xx.xx eq ident

Your help is being very much appreciated.

Yes.  

no access-list 100 permit tcp any host xx.xx.xx.xx eq smtp
no access-list 100 permit tcp any host xx.xx.xx.xx eq ident
access-list 100 permit tcp 168.143.177.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp 217.69.20.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp host xxx.xxx.xxx.xxx any eq smtp
access-list 100 deny tcp any any eq smtp

I have noticed that you have changed the lines

access-list outside_in permit tcp 168.143.177.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp 217.69.20.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list outside_in permit tcp host xxx.xxx.xxx.xxx any eq smtp
access-list outside_in deny tcp any any eq smtp

to

access-list 100 permit tcp 168.143.177.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp 217.69.20.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp host xxx.xxx.xxx.xxx any eq smtp
access-list 100 deny tcp any any eq smtp

Does this mean that the name of our access-list is "100". I can not seem to find where this name has been defined in our current configuration, or is it defined automatically after inserting the first line beginning with the command "access-list"

I look forward to your response.

You provided the following lines as current:
access-list 100 permit tcp any host xx.xx.xx.xx eq smtp
access-list 100 permit tcp any host xx.xx.xx.xx eq ident

At a minimum, in configuration mode, enter the following:
sh access-group

Hopefully, you'll see access-group 100 in interface outside

I was just trying to replace my arbitrary access-list name with your access-list name.

Okay.

I have typed in "sh access-group" and the response is "access-group 100 in interface outside"

Is it now safe to assume that the access list name for incoming traffic from the outside is 100?

Also, you have advised that we insert the following lines

no access-list 100 permit tcp any host xx.xx.xx.xx eq smtp
no access-list 100 permit tcp any host xx.xx.xx.xx eq ident
access-list 100 permit tcp 168.143.177.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp 217.69.20.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp host xxx.xxx.xxx.xxx any eq smtp
access-list 100 deny tcp any any eq smtp

Can we not just delete the first two lines, or are they mandatory?

The no in front of the first two lines does delete them.  I assumed you would want to know that command, so I threw it in there.

Yes that is fine.

Does the word "no" actually delete the line or does it just disable that particular configuration?

It removes it from the config.
Keep in mind that until you know it's working, don't do a write mem.
Once you know it's working, then do the write mem.

Also, I keep all commands and changes in notepad until I'm done, so that I can examine exactly what I did.

Yes, that is a good idea.

Two days ago I had to disable the "fixup protocol smtp 25" because of incoming email duplication and also delayed transmission of incoming emails.

For this I type in the word "no" before the beginning of the "fixup protocol smtp 25" line.

Now when I type in Write Term the whole configuration is displayed along with the "no fixup protocol smtp 25" line. Therefore this line was not actually deleted but the fixup option just disabled.

I will give your suggestion a try and let you know how I got along.

What time would you be available tomorrow so that I can may be get in touch with you in case need be.

Right now, it's 12:13 by me:
I'm usually in around 6 am or so.

Okay then.

That would be my 12:00pm.

Where are you based?

Chicago

Okay, that's cool. I am in London.

If I send you a copy of our current configuration tomorrow at my time 12:00pm, would you be able to look through this and possibly let me know where else I may need to make changes in order to get the PIX firewall working the way we want it to?

Yes, but do not include the password hashes or the actual IPs.

you can do a sh run and then change the hashes and addresses

I just found out I have to be somewher else in the morning and might not sign in until about 8:00.  Sorry about that.

Good morning gpriceee, I hope you are well.

As per our discussion yesterday, please find below our PIX firewall configuration as it is at present.



PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ********** encrypted
passwd ********** encrypted
hostname ++++++++++
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
no fixup protocol smtp 25
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq ident
access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq www
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
logging monitor debugging
logging buffered errors
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.192
ip address inside xxx.xxx.xxx.xxx 255.255.240.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 600
global (outside) 1 interface
nat (inside) 1 xxx.xxx.xxx.xxx 255.255.255.255 0 0
nat (inside) 2 xxx.xxx.xxx.xxx 255.255.255.255 0 0
nat (inside) 3 xxx.xxx.xxx.xxx 255.255.255.255 0 0
alias (inside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 255.255.255.255
alias (inside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
isakmp identity hostname
telnet xxx.xxx.xxx.xxx 255.255.240.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:**********
: end
[OK]

After your changes,  could you please let me know of the lines which have been added or modified.

Thank you.

Helo--my flight was delayed . . . sorry.

The two lines below should be removed, and the other lines added.
access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.xxx eq ident

With the lines I gave before:
no access-list 100 permit tcp any host xx.xx.xx.xx eq smtp
no access-list 100 permit tcp any host xx.xx.xx.xx eq ident
access-list 100 permit tcp 168.143.177.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp 217.69.20.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp host xxx.xxx.xxx.xxx any eq smtp
access-list 100 deny tcp any any eq smtp


If you do a sh run afterwards, the changes will show in the running config. If they work, then do the wr mem.

Good morning.

You have listed the line below in your suggested configuration.

              "access-list 100 permit tcp host xxx.xxx.xxx.xxx any eq smtp"

Earlier on in our conversation yesterday you had explained that this line would do the below.

             "line 2: allowing that same specific server to deliver mail to port 25 anywhere"

I did not quite understand what you meant by the line above. When you say the word 'anywhere', do you mean anywhere on our LAN or the outside world.

I look forward to your response.

Thank you.

The line would allow your mail server to deliver mail to anywhere in the world, which is what you need--unless you only want to deliver to a specifc range.

My understanding is that you are filtering on the way in and not forwarding the mail to the SPAM filter outbound.

So the ACLs will only accept mail from the SPAM filtering mail server but allow your own mail server to deliver mail to anyone.

Are you still there?  I'm aswering in-between tasks here, so hang in there.
Did you apply the ACLs yet and test?

One other thing to keep in mind; some SPAM filters will allow you to configure them so that if the account does not exist in the filter, the mail will not be delivered to you.  When using the test email  you might want to ensure that your SPAM filter setup allows for the mail to be delivered.

Yes, you are right. We are not specifically forwarding emails to the SPAM filter even though when I check the SPAM filter logs, Outbound emails are being displayed.

I was hoping that you would be able to tell me how this line

              "access-list 100 permit tcp host xxx.xxx.xxx.xxx any eq smtp"

determines controlling Outbound traffic compared to this line

              "access-list 100 permit tcp 168.143.177.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp"

which is filtering Inbound traffic.

I understand that this may be something to do with the order of words but would really appreciate it if you could give me a break down of the whole "access-list........" line.

I look forward to your response.

"access-list         100                 permit           tcp          host                                 xxx.xxx.xxx.xxx       any              eq smtp"
command         ACL name         action           protocol    host=255.255.255.255      from machine     to machine      email


"168.143.177.128                255.255.255.192                      host                                  xxx.xxx.xxx.xxx          eq smtp"
from address               now make it an address range         host=255.255.255.255        to machine                email

The host means subnet mask 255.255.255.255, which means ONLY this machine.

Okay. That's been very helpfull.

I shall give your suggestion a try early part of next week and let you know how I get along.

Would it be okay for me to Accept the answer once I have tried and got your suggestion working. NOT that I am doubting you.

Sure . . . no problem.
I hope all goes well for you.  After we outsourced our SAPM filtering, we ran reports and found that %70-80 of the mail had been SPAM.  Also since that time, I've noticed just how many SPAMmers attempt to bypass your MX records for delivery and try to go deliver directly to your door.

Those ACLs will make it very difficult.

Good morning gpriceee.

If we were to restrict all outbound email traffic to go via our SPAM filtering service, would the configuration below be okay?


no access-list 100 permit tcp any host xx.xx.xx.xx eq smtp
no access-list 100 permit tcp any host xx.xx.xx.xx eq ident
access-list 100 permit tcp 168.143.177.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp 217.69.20.128 255.255.255.192 host xxx.xxx.xxx.xxx eq smtp
access-list 100 permit tcp host xxx.xxx.xxx.xxx 168.143.177.128 255.255.255.192 eq smtp
access-list 100 permit tcp host xxx.xxx.xxx.xxx 217.69.20.128 255.255.255.192 eq smtp
access-list 100 deny tcp any any eq smtp



Does the last line above "access-list 100 deny tcp any any eq smtp" deny any to any access for both Inbound and Outbound traffic? If not then what extra line would I need to insert, in order to ensure that our mail server only sends out email to the SPAM filtering service's two IP address ranges.

I look forward to your response.

Thank you.

Hello.  I'm still at the remote location, and they didn't open their office until late!
Okay . . . your ACLs are dead on.
Yes, the last line will deny inbound outbound--any any

You have a tight restriction on email, and it should really help to protect you from SPAM and some other issues.

Is your SPAM filtering service ready to accept your traffic to them from your server?

The answer to this would be yes.

I say this because right now we have a MailSweeper system which forwards all emails to the ip address range given to us by the SPAM filtering service. However, this setting is done through the MailSweeper software.

I do not think that there are any restrictions configured on the firewall for outbound traffic.

Also, at present I can confirm that outbound traffic is directed through the SPAM filtering service because it shows in their logs.

I shall speak to you on Monday after testing the suggested configurations.

Thank you.

Have a good weekend.

Hello.  How did it go?

Hello. I  hope you had a good weekend.

I have just tested your suggested configuration and all seems to be going really well.

I have monitored Inbound email for the last half an hour and the results have been positive.

The points have been increased from 50 to 200 as you have been really helpful and VERY patient.

I am not too familiar with Experts Exchange, but would there be a way to specifically ask you a question through this web page regarding PIX Firewalls in the future or would I have to publish it for all to see and wait to see who answers?

I look forward to your response.