How to limit SMTP traffic to only one source.

I ahve a PIX 501 setup and am trying to limit the incoming smtp traffic to be just from 2 ranges of IP addresses (It is an outside spam/ virus filting company). Network: 64.18.0.0 255.255.240.0
and Network: 207.172.196.110 subnet 255.255.255.240

I have the following:

hostname pixfirewall
domain-name ciscopix.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.250 sbs
access-list outside_in permit tcp any interface outside eq 1231
access-list outside_in permit tcp any interface outside eq pptp
access-list outside_in permit tcp any interface outside eq 5900
access-list outside_in permit tcp any interface outside eq ftp-data
access-list outside_in permit tcp any interface outside eq ftp
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any interface outside eq https
access-list outside_in permit tcp any interface outside eq 444
access-list outside_in permit tcp any interface outside eq 4125
access-list outside_in permit tcp any interface outside eq 41600
access-list outside_in permit udp any interface outside eq 24312
access-list outside_in permit tcp any interface outside eq 5100
access-list outside_in permit tcp any interface outside eq 3389
access-list outside_in permit tcp any interface outside eq 3390
access-list outside_in permit tcp any interface outside eq 3728
access-list outside_in permit tcp any interface outside eq smtp
access-list outbound permit tcp any any eq smtp
access-list outbound permit tcp host sbs any eq smtp
access-list outbound deny tcp any any eq smtp log
access-list outbound permit ip any any
access-list outbound permit tcp any any eq 5100
access-list outside_access_in permit tcp 64.18.0.0 255.255.240.0 interface outside eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 0.0.0.0 255.255.255.0 outside
pdm location sbs 255.255.255.255 inside
pdm location 208.65.153.238 255.255.255.255 outside
pdm location 192.168.1.11 255.255.255.255 inside
pdm location 192.168.1.251 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface www sbs www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https sbs https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 444 sbs 444 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 4125 sbs 4125 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 1231 sbs 1231 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp sbs pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5900 sbs 5900 netmask 255.255.255.255 0 0
static (inside,outside) udp 24.187.148.186 24312 sbs 24312 netmask 255.255.255.255 0 0
static (inside,outside) tcp 24.187.148.186 41600 sbs 41600 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3390 sbs 3390 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 192.168.1.251 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3728 192.168.1.11 3728 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp sbs smtp netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group outbound in interface inside

Based on other posts I have added the line:
access-list outside_access_in permit tcp 64.18.0.0 255.255.240.0 interface outside eq smtp
but when I remove the line
access-list outside_in permit tcp any interface outside eq smtp
it does not accept any smtp traffic.
and it will not accept the line:
access-list outside_access_in permit tcp 207.172.196.110 255.255.255.240 interface outside eq smtp
(is the subnet wrong?)

Let me know the correction I need to make to limit incoming smtp to just those 2 ranges of I[p addresses.

Thanks
911bobCTOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
>>and it will not accept the line:
>>access-list outside_access_in permit tcp 207.172.196.110 255.255.255.240 interface outside eq smtp
>>(is the subnet wrong?)

Yes, the subnet is invalid for that address given.  When using a 255.255.255.240 netmask, the valid network addresses will be in multiples of 16, e.g. 207.172.196.0, 207.172.196.16, 207.172.196.32, etc.  So the two network addresses that are closest to the address you listed are 207.172.196.96 and 207.172.196.112.  Is it possible that .110 is one of the valid public addresses from the spam filter company that you want to allow?  If so, then that address falls into the 207.172.196.96 network segment and you would then want to use:

access-list outside_in permit tcp 207.172.196.96 255.255.255.240 interface outside eq smtp

Based on your post and assuming that the above 207.172.196.96 is the correct network segment for the spam filtering company's 2nd network segment, here are the commands you need to put in to restrict the traffic in the way that you want (enter them in the order listed):

access-list outside_in permit tcp 64.18.0.0 255.255.240.0 interface outside eq smtp
access-list outside_in permit tcp 207.172.196.96 255.255.255.240 interface outside eq smtp
no access-list outside_in permit tcp any interface outside eq smtp
no access-list outside_access_in

The last command above is deleting the ACL named "outside_access_in" because it is unneeded...you aren't using it anywhere in the configuration.  You are actually using the ACL named "outside_in" applied to your outside interface in an inbound direction as referenced in the following command:

access-group outside_in in interface outside

Good luck!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
911bobCTOAuthor Commented:
Tried it with the .96 on the bad Ip/ subnet and it does not work.. as soon as I take out the
no access-list outside_in permit tcp any interface outside eq smtp
statement it breaks it.

I have gone back to verify the IP addresses, but he felt jus tthe one should be OK..

I will keep working with them to get the right IP address, just did not wnat you to think you were being ignored..
0
batry_boyCommented:
That's fine...good luck!
0
911bobCTOAuthor Commented:
It works as expected when I got some typo's fixed..(caused by me)

Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.