Solved

Configure PIX for outbound nat

Posted on 2008-10-03
9
859 Views
Last Modified: 2013-11-30
We are going to implement an IP Sec policy in our domain to block outbound traffic on port 25 from all workstations. We are donig this because we recently caught a spam bot on one of our workstations that slammed outbound smtp traffic utilizing it's own smtp engine and we were black listed.
Our Outlook clients are all configured with Internet Mail profiles (POP 3) and obviously need to send mail which by default smtp mail is sent on port 25
I woulid like to reconfigure the Outlook clients to send on a different port, let's say port 830 and then have the traffic sent to the PIX 501 on port 830 translated to port 25 so that it may reach the mail relay server. I'm not sure if this is possible or even the right route to take.
Any ideas would be greatly appreciated.
0
Comment
Question by:Dataliant
9 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638855
Yes, this is possible, but it would require the mail server to be on a different network than the clients... aka not in the same VLAN or network range. Also, the traffic must traverse the ASA for this to work.
It basically consists or a static NAT statement and doesn't require IPsec. You can then deny all inbound SMTP connections on the network the client machines are in.
How big of an organization are we talking about? I don't want to overload  your PIX.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22644063
I don't think you'd be able to do this with PIX. When you say mail profiles, is it 1 mail server outside (like your hosted mail service) or we're talking about public general mail (like gmail/yahoo etc) ???

Cheers,
Rajesh
0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22649825
Wouldn't it be easier to just setup your pix so that only the mailserver is allowed to use port 25 outbound?

Create an access-list with the following rules:
allowing the mailserver outbound on port 25
denying all other hosts outbound on port 25
permitting al other outbound traffic (as appropriate for your organisation)

Then apply the access-list to the inside interface.

Would save you a whole lot of per workstation trouble.

Just my 2 cents.
0
 
LVL 1

Author Comment

by:Dataliant
ID: 22649842
The mail profiles that I am referring to are the individual Outlook profiles for the users.
The mail server is hosted and configured so we currently use POP.
So basically, I want to change my outgoing mail server settings in Outlook to, let's say 835 and I want the firewall to translate outbound traffic on port 835 to port 25 by the time it leaves.

This would be much easier if we had an Exchange server as I could apply the IP Sec policy to the OU containing all of the workstations and exclude the server but the client cannot afford an upgrade at this time.

Also, in case you guys are wondering. The reason I am using IP Sec to block outbound SMTP (port 25 )traffic is because I need to block it at the workstation level. To prevent smtp blasts. And it's more manageable, as I can apply it to certain workstations.


0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:Dataliant
ID: 22649885
==== Reply to Jay ====
You are absolutely correct. And I would love to do that. Unfortunately though, we use hosted email. I have to change the smtp ports in Outlook on the workstations to another port and have the firewall translate to port 25.
Thanks for your intel though!
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 22650553
Okay, if that is the case, you still don't need to do ipsec, do the following;

Assuming your external hosted mail server ip is x.x.x.x

static(outside,inside) tcp x.x.x.x 835 x.x.x.x 25 netmask 255.255.255.255

Then configure all the outlook profiles to connect to 835.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:Dataliant
ID: 22652611
That's exactly what I was looking for! Thanks rsivanandan!

The IP Sec policy blocks traffic on 25 from the workstations so if one of them catches the package I dont have to worry about a spam bot blasting out 1500 emails a minute and getting us blacklisted.  

After testing the statement and changing the ports on the Outlook clients everything works great! Good work!
0
 
LVL 1

Author Closing Comment

by:Dataliant
ID: 31502924
Thanks again!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22656159
My Pleasure.

Cheers,
Rajesh
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now