Solved

How to restrict ASA 5510 using ASDM - for SMTP traffic.

Posted on 2007-03-23
20
1,658 Views
Last Modified: 2012-06-21
I ahve an ASA 5510 that I am using as a firewall and I am having some issues with our external IP address being listed on SPAM lists. I know my email server in not relaying, so it has to be some other machine on the network. Is there a way I can figure that out?

Furthermore I just have a couple of policies on the ASA that allows incoming traffic for Terminal Services to be directed to a specific sever and other than that basically allow all outgoing conenction (from inside interface) to go through.

Is there someway that I can change it so that only HTTP and EMAIL can go out? And also restrict SMTP traffice to go only if it's from my mail server IP - 192.168.x.x?

I'm not too familiar with CISCO so would prefer to use the ASDM interface if at all possible. Any help is GREATLY appreciated. Thank you so much.
0
Comment
Question by:cfgchiran
  • 10
  • 10
20 Comments
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
In a text only forum such as this, it is much easier to give you the CLI commands that you can enter on ASA to do what you want to do.  How familiar are you with the command line?  Do you know how to get to the command line interface?
0
 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
My familiarity is limited, but yes I do know how to get to. But my concern is if I enter something incorrectly, I could end up restricting Internet/Email access to everybody. With the ASDM interface it is so much easier, though I understand what you mean by text only form like this.

If there is way to indicate the steps on the ASDM once I get to adding the ACLs (which I know how to do), I am just not sure how to allow port 25 for one server while restricting for all other systems.
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
Sure, we can try it that way.

First, you need to know that the ASA processes access list statements from the top down.  In the ASDM, they are numbered.  So, on a per interface basis, rule 1 gets processed before rule 2, then rule 3, etc.

Once you get to the ASDM ACL lists, pick a place on your inside interface (make sure you insert your statement underneath the "inside" interface section) to put your first ACE (access list entry) and add a new entry.  On the form, make sure that action is set to "permit", source is set to "any", destination is set to "any", protocol is set to "tcp" and destination port is set to "www" from the pick list.  This will allow all outbound HTTP traffic.

Next, add another ACE right behind that one under the inside interface section and make sure the action is "permit", the source is the internal IP address of your e-mail server, the destination is "any", the protocol is set to "tcp" and the destination port is set to "smtp" in the pick list.  This will restrict all outbound SMTP traffic to only be allowed from your mail server.

Click apply and you're done.  If anything is unclear in all of this, please ask questions before performing these actions.  I gave these directions from memory of the ASDM interface as I don't have one to look at right now.  :-)
0
 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
batry boy - thank you so much for the prompt responses.

In the Inside interface Access Rules - by default I have a rule that says Source 'any" , Destination "any"  - Interface - Inside (Outbound), Service: IP.

I tried to add your first ACL - and set it up under

Action - permit
Apply to traffic: incoming to src interface

Source Network: IP Address selected "any"

Destination network: IP address selected "any"

Protocol and Services: TCP

Source Port: Service = any

Destination Port: Service = www

As soon as I do that - I don't have any Internet access. As a side note - when I inserted that - it inserted above the default rule stated before, which still stayed. Not something I can edit since it's a default.

I did nto go any further.

Any suggestions?

Thanks again.
0
 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
By the way the only other rule I have is an incoming from outside to inside on port 3389 for Remote Desktop which works fine.
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 500 total points
Comment Utility
You will need to also allow UDP 53 outbound from your DNS server for DNS queries.  Put in a statement before or after the one you put in for "www" and this time specify your DNS server as the source, protocol "udp" and destination port service "domain".  Then see if you can surf.

It's important to note that as soon as you apply an access list to an interface like you're doing here, there is an implicit "deny" at the end of the rule list.  This means that if you don't explicitly allow traffic in the list of rules, then it will be blocked outbound.  This is what happened when you tried to surf.  Your client tried to perform a DNS lookup by asking your DNS server for the hostname to IP address mapping and it couldn't go outbound to ask the Internet DNS root servers for a lookup.

Also, if you use an external DNS server, then you will need to change the above rule I just mentioned to use a source of "any" on your network since every client will need to be allowed to perform DNS queries externally.  Does this make sense?

You may find out that you have a lot of outbound traffic that you weren't aware of before that needs to be allowed outbound...you may hear some screams while you're trying to find all the business related outbound traffic that needs to be allowed.  Before now, it has ALL been allowed and now you're restricting all traffic EXCEPT what you put in the access list rules.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
You may even need to put in another rule to allow TCP 53 outbound from your DNS server.  Just make another rule and choose "tcp" for the protocol and do everything else the same as above.  :)
0
 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
Thank you. I am about to try it. Will let you know how it goes.
0
 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
ok web browsing is good. Thank you. I did not add the TCP 53. Only the UDP. Do I need the TCP too? I have multiple internal DNS servers that clients use, internally, but for Internet we use ISP DNS so I left it "any" for both inside and outside, for UDP = Domain. Is that a security risk?

Have not tried the email yet. About to do that. But wanted to find out - my implicit rule Inside to Outside "any" on Interface: Inside (outbound) on IP service is still there. How come and what does that mean if anything?

Yes, I know I may get some screams, but I'll worry about it then. :) I am more concerned now about my domain being blacklisted.

Thank you so much.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Don't worry about that one rule...does it say that it is an implicit rule?

You can go ahead and allow TCP 53 outbound because it is only used for DNS traffic...you're servers may only use UDP 53, but if you go ahead and add it now you won't have to go back later because you didn't add it up front.  It won't hurt anything to put it in now.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
Ok email worked too. You're awesome man. Added the TCP - domain as well.

I also added https cause I realized that I needed it too. :)

Here'a a little curve ball though.

Our emails were getting blacklisted based on the NAT IP of the ASA unit. Prior to getting the ASA device we had an older proxy server that could not do email forwarding so I had the email server (Exchange 2k) with two NICs. One on my LAN and the other connected to a the Internet through a firewall which had another ISP provided IP.

So basically we receive all email through that second firewall and ISP provided IP. But our email was going out and being blacklisted through the ASA. However just now when I sent the email and looked at the headers it showed that it came from the original (Still connected) IP. Any ideas?
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
When you say "it came from the original (Still connected) IP" do you mean the ASA outside public interface IP, or the 2nd firewall's public IP?  I'm confused...
0
 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
Sorry - I meant that these last emails went out from the 2nd firewall's public IP. I am not sure if there is something in the mail server that routes email through the two different NICs.

Both the NICs have Internet access. One through the ASA and the second through the second firewall. Both use NAT.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
I thought you said that the blacklisted IP address is currently on the ASA.  Doesn't that mean you want mail to go out the other firewall?
0
 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
No not really. I have other IP address I can use and will assign to the ASA once I know I have restricted SMTP communication through it, so whatever is on my network that is generating spam is unable to send through the ASA. Next step is to find out which system is compromised.

Ultimately I want to eliminate the second firewall and have the mail server communictae only through ASA for both incoming and outgoing email, through port forwarding. Just had not had time to do it yet.

I assume I can do that right, but simply having port 110 and port 25 forwarded to my internal mail server IP?

Thanks again.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
OK, I see now.  This becomes an Exchange configuration question on your e-mail server.  I believe you said that you're using Exchange 2K, right?  Somewhere in the configuration is a setting that tells it how to deliver e-mail.  I think you can configure it to use just straight DNS lookups of destination MX records or you can configure it to use a specific SMTP relay.  If you're using just DNS lookups for e-mail delivery, then it's using whatever DNS server you have configured on your e-mail server to lookup the MX record and then sending the e-mail straight to the IP address attached to the A record referenced in the destination e-mail domain's MX record.

If you look at the IP routing table on your e-mail server, it probably has the inside IP address of the 2nd firewall listed for it's default gateway.  If you change this to the ASA's inside interface for it's default route, then e-mail flow SHOULD go through the ASA and use the static translation for that internal IP address.  I haven't seen your network topology or your complete ASA config, which is why I said SHOULD...given what little I know about your setup, it may be different.  Try changing the e-mail server's default gateway and see what happens....you can always change it back to what it is currently if it doesn't fix it.  :)
0
 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
batry boy - Thank you again so much. You have no idea how much I appreciate your help.

One last question or actually two:

Some of my emails clearly did go through the ASA - since they got rejected because that IP was on a blacklist. But yet this time it went through the 2nd firewall's IP. I did not make any changes. That's why I was wondering.

Lastly - I should be able to have the mail server communicate directly through the ASA and only the ASA right? All I would need is to provide port forwarding for the mail server's MX IP to the internal mail server IP on the ASA for SMTP, POP and WWW (we have web mail.)? Is that correct?

0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
I have another question of my own before I can answer your first question.  Is the only connection between your internal network and the 2nd firewall through the 2nd NIC of the e-mail server?  If so, then disconnect the network cable from the 2nd NIC on the e-mail server and see if all e-mail starts getting routed through the ASA.

Once you eliminate the e-mail server's multiple routes to get to the Internet (one through it's internal interface to get to the ASA and then out, the second straight to the 2nd firewall through its 2nd NIC), then you just need to make sure you have a NAT in place for your MX record public IP to point to the e-mail server's internal IP address and then configure the outside interface ACL to allow inbound TCP 25 (smtp), TCP 110 (pop3), and TCP 80 (www), and you may want to add TCP 443 (https) if you ever get a digital certificate for your web mail.  ;-)
0
 
LVL 1

Author Comment

by:cfgchiran
Comment Utility
Yes the only access for my LAn to the 2nd firewall is through the 2nd NIC of the Exchange server. I will try what you said maybe tomorrow.

For now I am so very grateful to you for taking the time to answer my questions and being so prompt with the responses. You've been awesome. Thank you so much.

Have a great weekend.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Sure, let me know how it goes!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now