Solved

Configure PIX for outbound nat

Posted on 2008-10-03
9
865 Views
Last Modified: 2013-11-30
We are going to implement an IP Sec policy in our domain to block outbound traffic on port 25 from all workstations. We are donig this because we recently caught a spam bot on one of our workstations that slammed outbound smtp traffic utilizing it's own smtp engine and we were black listed.
Our Outlook clients are all configured with Internet Mail profiles (POP 3) and obviously need to send mail which by default smtp mail is sent on port 25
I woulid like to reconfigure the Outlook clients to send on a different port, let's say port 830 and then have the traffic sent to the PIX 501 on port 830 translated to port 25 so that it may reach the mail relay server. I'm not sure if this is possible or even the right route to take.
Any ideas would be greatly appreciated.
0
Comment
Question by:Dataliant
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638855
Yes, this is possible, but it would require the mail server to be on a different network than the clients... aka not in the same VLAN or network range. Also, the traffic must traverse the ASA for this to work.
It basically consists or a static NAT statement and doesn't require IPsec. You can then deny all inbound SMTP connections on the network the client machines are in.
How big of an organization are we talking about? I don't want to overload  your PIX.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22644063
I don't think you'd be able to do this with PIX. When you say mail profiles, is it 1 mail server outside (like your hosted mail service) or we're talking about public general mail (like gmail/yahoo etc) ???

Cheers,
Rajesh
0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22649825
Wouldn't it be easier to just setup your pix so that only the mailserver is allowed to use port 25 outbound?

Create an access-list with the following rules:
allowing the mailserver outbound on port 25
denying all other hosts outbound on port 25
permitting al other outbound traffic (as appropriate for your organisation)

Then apply the access-list to the inside interface.

Would save you a whole lot of per workstation trouble.

Just my 2 cents.
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 1

Author Comment

by:Dataliant
ID: 22649842
The mail profiles that I am referring to are the individual Outlook profiles for the users.
The mail server is hosted and configured so we currently use POP.
So basically, I want to change my outgoing mail server settings in Outlook to, let's say 835 and I want the firewall to translate outbound traffic on port 835 to port 25 by the time it leaves.

This would be much easier if we had an Exchange server as I could apply the IP Sec policy to the OU containing all of the workstations and exclude the server but the client cannot afford an upgrade at this time.

Also, in case you guys are wondering. The reason I am using IP Sec to block outbound SMTP (port 25 )traffic is because I need to block it at the workstation level. To prevent smtp blasts. And it's more manageable, as I can apply it to certain workstations.


0
 
LVL 1

Author Comment

by:Dataliant
ID: 22649885
==== Reply to Jay ====
You are absolutely correct. And I would love to do that. Unfortunately though, we use hosted email. I have to change the smtp ports in Outlook on the workstations to another port and have the firewall translate to port 25.
Thanks for your intel though!
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 22650553
Okay, if that is the case, you still don't need to do ipsec, do the following;

Assuming your external hosted mail server ip is x.x.x.x

static(outside,inside) tcp x.x.x.x 835 x.x.x.x 25 netmask 255.255.255.255

Then configure all the outlook profiles to connect to 835.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:Dataliant
ID: 22652611
That's exactly what I was looking for! Thanks rsivanandan!

The IP Sec policy blocks traffic on 25 from the workstations so if one of them catches the package I dont have to worry about a spam bot blasting out 1500 emails a minute and getting us blacklisted.  

After testing the statement and changing the ports on the Outlook clients everything works great! Good work!
0
 
LVL 1

Author Closing Comment

by:Dataliant
ID: 31502924
Thanks again!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22656159
My Pleasure.

Cheers,
Rajesh
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question