?
Solved

Configure PIX for outbound nat

Posted on 2008-10-03
9
Medium Priority
?
870 Views
Last Modified: 2013-11-30
We are going to implement an IP Sec policy in our domain to block outbound traffic on port 25 from all workstations. We are donig this because we recently caught a spam bot on one of our workstations that slammed outbound smtp traffic utilizing it's own smtp engine and we were black listed.
Our Outlook clients are all configured with Internet Mail profiles (POP 3) and obviously need to send mail which by default smtp mail is sent on port 25
I woulid like to reconfigure the Outlook clients to send on a different port, let's say port 830 and then have the traffic sent to the PIX 501 on port 830 translated to port 25 so that it may reach the mail relay server. I'm not sure if this is possible or even the right route to take.
Any ideas would be greatly appreciated.
0
Comment
Question by:Dataliant
9 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638855
Yes, this is possible, but it would require the mail server to be on a different network than the clients... aka not in the same VLAN or network range. Also, the traffic must traverse the ASA for this to work.
It basically consists or a static NAT statement and doesn't require IPsec. You can then deny all inbound SMTP connections on the network the client machines are in.
How big of an organization are we talking about? I don't want to overload  your PIX.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22644063
I don't think you'd be able to do this with PIX. When you say mail profiles, is it 1 mail server outside (like your hosted mail service) or we're talking about public general mail (like gmail/yahoo etc) ???

Cheers,
Rajesh
0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22649825
Wouldn't it be easier to just setup your pix so that only the mailserver is allowed to use port 25 outbound?

Create an access-list with the following rules:
allowing the mailserver outbound on port 25
denying all other hosts outbound on port 25
permitting al other outbound traffic (as appropriate for your organisation)

Then apply the access-list to the inside interface.

Would save you a whole lot of per workstation trouble.

Just my 2 cents.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 1

Author Comment

by:Dataliant
ID: 22649842
The mail profiles that I am referring to are the individual Outlook profiles for the users.
The mail server is hosted and configured so we currently use POP.
So basically, I want to change my outgoing mail server settings in Outlook to, let's say 835 and I want the firewall to translate outbound traffic on port 835 to port 25 by the time it leaves.

This would be much easier if we had an Exchange server as I could apply the IP Sec policy to the OU containing all of the workstations and exclude the server but the client cannot afford an upgrade at this time.

Also, in case you guys are wondering. The reason I am using IP Sec to block outbound SMTP (port 25 )traffic is because I need to block it at the workstation level. To prevent smtp blasts. And it's more manageable, as I can apply it to certain workstations.


0
 
LVL 1

Author Comment

by:Dataliant
ID: 22649885
==== Reply to Jay ====
You are absolutely correct. And I would love to do that. Unfortunately though, we use hosted email. I have to change the smtp ports in Outlook on the workstations to another port and have the firewall translate to port 25.
Thanks for your intel though!
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 22650553
Okay, if that is the case, you still don't need to do ipsec, do the following;

Assuming your external hosted mail server ip is x.x.x.x

static(outside,inside) tcp x.x.x.x 835 x.x.x.x 25 netmask 255.255.255.255

Then configure all the outlook profiles to connect to 835.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:Dataliant
ID: 22652611
That's exactly what I was looking for! Thanks rsivanandan!

The IP Sec policy blocks traffic on 25 from the workstations so if one of them catches the package I dont have to worry about a spam bot blasting out 1500 emails a minute and getting us blacklisted.  

After testing the statement and changing the ports on the Outlook clients everything works great! Good work!
0
 
LVL 1

Author Closing Comment

by:Dataliant
ID: 31502924
Thanks again!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22656159
My Pleasure.

Cheers,
Rajesh
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question