Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to restrict ASA 5510 using ASDM - for SMTP traffic.

Posted on 2007-03-23
20
Medium Priority
?
1,694 Views
Last Modified: 2012-06-21
I ahve an ASA 5510 that I am using as a firewall and I am having some issues with our external IP address being listed on SPAM lists. I know my email server in not relaying, so it has to be some other machine on the network. Is there a way I can figure that out?

Furthermore I just have a couple of policies on the ASA that allows incoming traffic for Terminal Services to be directed to a specific sever and other than that basically allow all outgoing conenction (from inside interface) to go through.

Is there someway that I can change it so that only HTTP and EMAIL can go out? And also restrict SMTP traffice to go only if it's from my mail server IP - 192.168.x.x?

I'm not too familiar with CISCO so would prefer to use the ASDM interface if at all possible. Any help is GREATLY appreciated. Thank you so much.
0
Comment
Question by:cfgchiran
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 10
20 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18783892
In a text only forum such as this, it is much easier to give you the CLI commands that you can enter on ASA to do what you want to do.  How familiar are you with the command line?  Do you know how to get to the command line interface?
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 18783913
My familiarity is limited, but yes I do know how to get to. But my concern is if I enter something incorrectly, I could end up restricting Internet/Email access to everybody. With the ASDM interface it is so much easier, though I understand what you mean by text only form like this.

If there is way to indicate the steps on the ASDM once I get to adding the ACLs (which I know how to do), I am just not sure how to allow port 25 for one server while restricting for all other systems.
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 18783953
Sure, we can try it that way.

First, you need to know that the ASA processes access list statements from the top down.  In the ASDM, they are numbered.  So, on a per interface basis, rule 1 gets processed before rule 2, then rule 3, etc.

Once you get to the ASDM ACL lists, pick a place on your inside interface (make sure you insert your statement underneath the "inside" interface section) to put your first ACE (access list entry) and add a new entry.  On the form, make sure that action is set to "permit", source is set to "any", destination is set to "any", protocol is set to "tcp" and destination port is set to "www" from the pick list.  This will allow all outbound HTTP traffic.

Next, add another ACE right behind that one under the inside interface section and make sure the action is "permit", the source is the internal IP address of your e-mail server, the destination is "any", the protocol is set to "tcp" and the destination port is set to "smtp" in the pick list.  This will restrict all outbound SMTP traffic to only be allowed from your mail server.

Click apply and you're done.  If anything is unclear in all of this, please ask questions before performing these actions.  I gave these directions from memory of the ASDM interface as I don't have one to look at right now.  :-)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:cfgchiran
ID: 18784031
batry boy - thank you so much for the prompt responses.

In the Inside interface Access Rules - by default I have a rule that says Source 'any" , Destination "any"  - Interface - Inside (Outbound), Service: IP.

I tried to add your first ACL - and set it up under

Action - permit
Apply to traffic: incoming to src interface

Source Network: IP Address selected "any"

Destination network: IP address selected "any"

Protocol and Services: TCP

Source Port: Service = any

Destination Port: Service = www

As soon as I do that - I don't have any Internet access. As a side note - when I inserted that - it inserted above the default rule stated before, which still stayed. Not something I can edit since it's a default.

I did nto go any further.

Any suggestions?

Thanks again.
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 18784035
By the way the only other rule I have is an incoming from outside to inside on port 3389 for Remote Desktop which works fine.
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 2000 total points
ID: 18784056
You will need to also allow UDP 53 outbound from your DNS server for DNS queries.  Put in a statement before or after the one you put in for "www" and this time specify your DNS server as the source, protocol "udp" and destination port service "domain".  Then see if you can surf.

It's important to note that as soon as you apply an access list to an interface like you're doing here, there is an implicit "deny" at the end of the rule list.  This means that if you don't explicitly allow traffic in the list of rules, then it will be blocked outbound.  This is what happened when you tried to surf.  Your client tried to perform a DNS lookup by asking your DNS server for the hostname to IP address mapping and it couldn't go outbound to ask the Internet DNS root servers for a lookup.

Also, if you use an external DNS server, then you will need to change the above rule I just mentioned to use a source of "any" on your network since every client will need to be allowed to perform DNS queries externally.  Does this make sense?

You may find out that you have a lot of outbound traffic that you weren't aware of before that needs to be allowed outbound...you may hear some screams while you're trying to find all the business related outbound traffic that needs to be allowed.  Before now, it has ALL been allowed and now you're restricting all traffic EXCEPT what you put in the access list rules.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18784058
You may even need to put in another rule to allow TCP 53 outbound from your DNS server.  Just make another rule and choose "tcp" for the protocol and do everything else the same as above.  :)
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 18784067
Thank you. I am about to try it. Will let you know how it goes.
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 18784077
ok web browsing is good. Thank you. I did not add the TCP 53. Only the UDP. Do I need the TCP too? I have multiple internal DNS servers that clients use, internally, but for Internet we use ISP DNS so I left it "any" for both inside and outside, for UDP = Domain. Is that a security risk?

Have not tried the email yet. About to do that. But wanted to find out - my implicit rule Inside to Outside "any" on Interface: Inside (outbound) on IP service is still there. How come and what does that mean if anything?

Yes, I know I may get some screams, but I'll worry about it then. :) I am more concerned now about my domain being blacklisted.

Thank you so much.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18784081
Don't worry about that one rule...does it say that it is an implicit rule?

You can go ahead and allow TCP 53 outbound because it is only used for DNS traffic...you're servers may only use UDP 53, but if you go ahead and add it now you won't have to go back later because you didn't add it up front.  It won't hurt anything to put it in now.
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 18784103
Ok email worked too. You're awesome man. Added the TCP - domain as well.

I also added https cause I realized that I needed it too. :)

Here'a a little curve ball though.

Our emails were getting blacklisted based on the NAT IP of the ASA unit. Prior to getting the ASA device we had an older proxy server that could not do email forwarding so I had the email server (Exchange 2k) with two NICs. One on my LAN and the other connected to a the Internet through a firewall which had another ISP provided IP.

So basically we receive all email through that second firewall and ISP provided IP. But our email was going out and being blacklisted through the ASA. However just now when I sent the email and looked at the headers it showed that it came from the original (Still connected) IP. Any ideas?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18784125
When you say "it came from the original (Still connected) IP" do you mean the ASA outside public interface IP, or the 2nd firewall's public IP?  I'm confused...
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 18784133
Sorry - I meant that these last emails went out from the 2nd firewall's public IP. I am not sure if there is something in the mail server that routes email through the two different NICs.

Both the NICs have Internet access. One through the ASA and the second through the second firewall. Both use NAT.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18784137
I thought you said that the blacklisted IP address is currently on the ASA.  Doesn't that mean you want mail to go out the other firewall?
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 18784147
No not really. I have other IP address I can use and will assign to the ASA once I know I have restricted SMTP communication through it, so whatever is on my network that is generating spam is unable to send through the ASA. Next step is to find out which system is compromised.

Ultimately I want to eliminate the second firewall and have the mail server communictae only through ASA for both incoming and outgoing email, through port forwarding. Just had not had time to do it yet.

I assume I can do that right, but simply having port 110 and port 25 forwarded to my internal mail server IP?

Thanks again.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18784162
OK, I see now.  This becomes an Exchange configuration question on your e-mail server.  I believe you said that you're using Exchange 2K, right?  Somewhere in the configuration is a setting that tells it how to deliver e-mail.  I think you can configure it to use just straight DNS lookups of destination MX records or you can configure it to use a specific SMTP relay.  If you're using just DNS lookups for e-mail delivery, then it's using whatever DNS server you have configured on your e-mail server to lookup the MX record and then sending the e-mail straight to the IP address attached to the A record referenced in the destination e-mail domain's MX record.

If you look at the IP routing table on your e-mail server, it probably has the inside IP address of the 2nd firewall listed for it's default gateway.  If you change this to the ASA's inside interface for it's default route, then e-mail flow SHOULD go through the ASA and use the static translation for that internal IP address.  I haven't seen your network topology or your complete ASA config, which is why I said SHOULD...given what little I know about your setup, it may be different.  Try changing the e-mail server's default gateway and see what happens....you can always change it back to what it is currently if it doesn't fix it.  :)
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 18784171
batry boy - Thank you again so much. You have no idea how much I appreciate your help.

One last question or actually two:

Some of my emails clearly did go through the ASA - since they got rejected because that IP was on a blacklist. But yet this time it went through the 2nd firewall's IP. I did not make any changes. That's why I was wondering.

Lastly - I should be able to have the mail server communicate directly through the ASA and only the ASA right? All I would need is to provide port forwarding for the mail server's MX IP to the internal mail server IP on the ASA for SMTP, POP and WWW (we have web mail.)? Is that correct?

0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18784176
I have another question of my own before I can answer your first question.  Is the only connection between your internal network and the 2nd firewall through the 2nd NIC of the e-mail server?  If so, then disconnect the network cable from the 2nd NIC on the e-mail server and see if all e-mail starts getting routed through the ASA.

Once you eliminate the e-mail server's multiple routes to get to the Internet (one through it's internal interface to get to the ASA and then out, the second straight to the 2nd firewall through its 2nd NIC), then you just need to make sure you have a NAT in place for your MX record public IP to point to the e-mail server's internal IP address and then configure the outside interface ACL to allow inbound TCP 25 (smtp), TCP 110 (pop3), and TCP 80 (www), and you may want to add TCP 443 (https) if you ever get a digital certificate for your web mail.  ;-)
0
 
LVL 1

Author Comment

by:cfgchiran
ID: 18784224
Yes the only access for my LAn to the 2nd firewall is through the 2nd NIC of the Exchange server. I will try what you said maybe tomorrow.

For now I am so very grateful to you for taking the time to answer my questions and being so prompt with the responses. You've been awesome. Thank you so much.

Have a great weekend.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18784231
Sure, let me know how it goes!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question