Solved

Configure PIX for outbound nat

Posted on 2008-10-03
9
860 Views
Last Modified: 2013-11-30
We are going to implement an IP Sec policy in our domain to block outbound traffic on port 25 from all workstations. We are donig this because we recently caught a spam bot on one of our workstations that slammed outbound smtp traffic utilizing it's own smtp engine and we were black listed.
Our Outlook clients are all configured with Internet Mail profiles (POP 3) and obviously need to send mail which by default smtp mail is sent on port 25
I woulid like to reconfigure the Outlook clients to send on a different port, let's say port 830 and then have the traffic sent to the PIX 501 on port 830 translated to port 25 so that it may reach the mail relay server. I'm not sure if this is possible or even the right route to take.
Any ideas would be greatly appreciated.
0
Comment
Question by:Dataliant
9 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638855
Yes, this is possible, but it would require the mail server to be on a different network than the clients... aka not in the same VLAN or network range. Also, the traffic must traverse the ASA for this to work.
It basically consists or a static NAT statement and doesn't require IPsec. You can then deny all inbound SMTP connections on the network the client machines are in.
How big of an organization are we talking about? I don't want to overload  your PIX.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22644063
I don't think you'd be able to do this with PIX. When you say mail profiles, is it 1 mail server outside (like your hosted mail service) or we're talking about public general mail (like gmail/yahoo etc) ???

Cheers,
Rajesh
0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22649825
Wouldn't it be easier to just setup your pix so that only the mailserver is allowed to use port 25 outbound?

Create an access-list with the following rules:
allowing the mailserver outbound on port 25
denying all other hosts outbound on port 25
permitting al other outbound traffic (as appropriate for your organisation)

Then apply the access-list to the inside interface.

Would save you a whole lot of per workstation trouble.

Just my 2 cents.
0
 
LVL 1

Author Comment

by:Dataliant
ID: 22649842
The mail profiles that I am referring to are the individual Outlook profiles for the users.
The mail server is hosted and configured so we currently use POP.
So basically, I want to change my outgoing mail server settings in Outlook to, let's say 835 and I want the firewall to translate outbound traffic on port 835 to port 25 by the time it leaves.

This would be much easier if we had an Exchange server as I could apply the IP Sec policy to the OU containing all of the workstations and exclude the server but the client cannot afford an upgrade at this time.

Also, in case you guys are wondering. The reason I am using IP Sec to block outbound SMTP (port 25 )traffic is because I need to block it at the workstation level. To prevent smtp blasts. And it's more manageable, as I can apply it to certain workstations.


0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 1

Author Comment

by:Dataliant
ID: 22649885
==== Reply to Jay ====
You are absolutely correct. And I would love to do that. Unfortunately though, we use hosted email. I have to change the smtp ports in Outlook on the workstations to another port and have the firewall translate to port 25.
Thanks for your intel though!
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 22650553
Okay, if that is the case, you still don't need to do ipsec, do the following;

Assuming your external hosted mail server ip is x.x.x.x

static(outside,inside) tcp x.x.x.x 835 x.x.x.x 25 netmask 255.255.255.255

Then configure all the outlook profiles to connect to 835.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:Dataliant
ID: 22652611
That's exactly what I was looking for! Thanks rsivanandan!

The IP Sec policy blocks traffic on 25 from the workstations so if one of them catches the package I dont have to worry about a spam bot blasting out 1500 emails a minute and getting us blacklisted.  

After testing the statement and changing the ports on the Outlook clients everything works great! Good work!
0
 
LVL 1

Author Closing Comment

by:Dataliant
ID: 31502924
Thanks again!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22656159
My Pleasure.

Cheers,
Rajesh
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is Usenet? There are many different opinions on exactly what Usenet is an isn't. Many opinions are incorrect simply out of ignorance. The Wikipedia listing about Usenet does a good job of explaining it, so instead of repeating it all here I wi…
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now