Solved

Create a access rule to block outgoing mail traffic to non-approved mail server.

Posted on 2008-09-30
21
1,043 Views
Last Modified: 2013-11-16
I need assistance creating a Access Rule in my ASA that will stop outgoing mail that is not directed to my smtp server.

I need to create this rule thru the ASDM interface not thru the console.

Attached are pictures showing the overview of the current access rules and displaying the rule creation interface.

Thanks in advance
Picture-1.png
Picture-2.png
0
Comment
Question by:dscl
  • 10
  • 9
  • 2
21 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22607644
where is your mail server located?

harbor235 ;}
0
 
LVL 2

Author Comment

by:dscl
ID: 22607756
The mail server is external and addressable by a static IP of course.  I can supply the IP if needed,
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22608339

k, so you need to craft and acl that
entry #1
permits source of your internal network , destination host address is your smtp server, protocl tcp service equal to smtp (or port 25) all fields on the display
entry #2
deny source of your internal network , destination network address is any smtp, protocl tcp service equal to smtp (or port 25) all fields on the display
entry #3
permits source of your internal network , destination any, protocl ip, any service

Apply this in the outbound direction of your inside interface

harbor235 ;}
0
 
LVL 2

Author Comment

by:dscl
ID: 22608418
I will try this this evening harbor and report back on the success hopefully!!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608700
Exactly - if you can post a config and the IP of the server you want to block I'll just write up the commands for you
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608739
BTW you can send CLI commands throug the ASDM. It's really easy - just click Tools > Command Line Interface.
0
 
LVL 2

Author Comment

by:dscl
ID: 22608784
The IP address of the mail server is:  72.3.139.147

If you could provide information on saving the access rules out I can certainly provide them.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608889
Yes that's what I was going to do - please post them :-)
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22608896
If you can post the actual config info - not from the ASDM - that would be better.
0
 
LVL 2

Author Comment

by:dscl
ID: 22621010
Hi folks, well I got things working it looks like, well mostly anyways :D

Here are the relevant sections of my config.


access-list Outside_access_out extended permit tcp any host 72.3.139.147 eq smtp
access-list Outside_access_out extended deny tcp any any eq smtp
access-list Outside_access_out extended permit ip any any

access-group Outside_access_out in interface Inside


And I have to say sending console command thru the ASDM interface is WAY easier than dealing with damn GUI.  

Anyways my issue comes in with how I was doing testing.  I had a coworker sending mail via his ATT Yahoo account that uses SSL over 465.  The above firewall rules do not stop that connection, but testing over another account not utilizing SSL worked fine.  

So is am I missing anything here?  Any recommendations?

Thanks!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22621370
Yes it is. :-) As you use the ASA more you'll begin to really like having two ways to do things. CLI (console) is better for configuring most things and quick debugging - ASDM is great for monitoring and modifying ACLs and NAT rules.
As far as your config goes - that ACL is named really strangely... that's stopping traffic coming OUT (going out to web or elsewhere) of the inside interface. You didn't change it or anything did you? That's what came right out of the config?
What is the IP of that bad server you want to block? I'll write you up a rule to block it.
Please post the entire config so I can see all that's going on. Please make sure you change your real internet IP though. Leave everything else unchanged.
You can get your config by running the following command in CLI:
show running-config
Just copy and paste that here so I can see and help.
Cheers!
0
 
LVL 2

Author Comment

by:dscl
ID: 22622994
When you say the ACL is named strangely do you mean the Access Group "Outside_access_out"?  I agree that is named strangely, but is how the config was initially done so I didn't change the naming.  When I get into the office I will post the entire config after doing some editing.

As for the IP of the bad server& I'm actually okay with that one mail server being used so the fact that it is working shouldn't be a problem.  What is worrisome is that it is though so I can't be certain others aren't being accessed in s similar fashion.

On a side note.  Is there a good way to monitor the traffic on the ASA device to look for strange activity, patterns, or extreme usage?  I know I can watch the traffic in real time, but it goes way too fast and way too granular.  Perhaps there is a 3rd party tool I can feed the log too and get the information back in a better format?
0
 
LVL 2

Author Comment

by:dscl
ID: 22624374
Okay attached is the current running config as requested.
run-config-edited.txt
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22627590
Okay - so just to let you know - with no more info as to good or bad servers, the only way to configure it to allow that IP will deny ALL other SMTP traffic to other servers... this includes people using personal email/mailer forms for websites if applicable/etc.
Is that okay? Do you still want to proceed?
0
 
LVL 2

Author Comment

by:dscl
ID: 22627723
Well good servers are limited to 3 servers.  The one that is already permitted in the running config and two additional ones I added this afternoon.

In addition to that I don't think any other outbound connections should be aloud using SMTP.  If people want to user personal email accounts thats fine, but I have no problem having them send it thru our mail server to do so.

Can you explain the mailer forms comment though?  Web site forms should be handling mail sending on the web sites end shouldn't it?
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 125 total points
ID: 22627972
Good! So everything is working?
Well regarding the mailer forms, the form has to send it to an SMTP server for processing. If your website is internal just test it and see if the form is working. If it's not then check the code and change the SMTP server address.
As far as logging goes, I recommend using a syslog collector like Kiwi Syslog - its free.
http://www.kiwisyslog.com/
Just setup the following in the ASA to be sent all error- level messages:
logging enable
logging trap 3
logging host <ip address of computer kiwi is installed on>
This will make the ASA send the messages to that computer! Please note that the computer must remain on 24x7 to collect messages. I recommend putting it on a server if possible.
0
 
LVL 2

Author Comment

by:dscl
ID: 22628115
Thanks Puggle for the help, yes everything is working at this moment in time.  I will take a look at Kiwi and I have a server in mind I can use.  Although I wish they had a Mac daemon.  Although I could just not be lazy and manually config the existing daemon that ships on OS X.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628245
Yeah, the Mac syslog sucks. Here's the manual for it anyways:
http://developer.apple.com/documentation/Darwin/Reference/ManPages/man1/syslog.1.html
0
 
LVL 2

Author Comment

by:dscl
ID: 22628303
Yes it most certainly does, but at least it's an area I have some level of authority in.  I'm a Mac Admin for a living LOL
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22628352
Lol very nice. :)
Does that answer all of your questions?
Cheers!
0
 
LVL 2

Author Comment

by:dscl
ID: 22628374
Yes it does, thank you sir!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now