Solved

Configure PIX for outbound nat

Posted on 2008-10-03
9
866 Views
Last Modified: 2013-11-30
We are going to implement an IP Sec policy in our domain to block outbound traffic on port 25 from all workstations. We are donig this because we recently caught a spam bot on one of our workstations that slammed outbound smtp traffic utilizing it's own smtp engine and we were black listed.
Our Outlook clients are all configured with Internet Mail profiles (POP 3) and obviously need to send mail which by default smtp mail is sent on port 25
I woulid like to reconfigure the Outlook clients to send on a different port, let's say port 830 and then have the traffic sent to the PIX 501 on port 830 translated to port 25 so that it may reach the mail relay server. I'm not sure if this is possible or even the right route to take.
Any ideas would be greatly appreciated.
0
Comment
Question by:Dataliant
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22638855
Yes, this is possible, but it would require the mail server to be on a different network than the clients... aka not in the same VLAN or network range. Also, the traffic must traverse the ASA for this to work.
It basically consists or a static NAT statement and doesn't require IPsec. You can then deny all inbound SMTP connections on the network the client machines are in.
How big of an organization are we talking about? I don't want to overload  your PIX.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22644063
I don't think you'd be able to do this with PIX. When you say mail profiles, is it 1 mail server outside (like your hosted mail service) or we're talking about public general mail (like gmail/yahoo etc) ???

Cheers,
Rajesh
0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22649825
Wouldn't it be easier to just setup your pix so that only the mailserver is allowed to use port 25 outbound?

Create an access-list with the following rules:
allowing the mailserver outbound on port 25
denying all other hosts outbound on port 25
permitting al other outbound traffic (as appropriate for your organisation)

Then apply the access-list to the inside interface.

Would save you a whole lot of per workstation trouble.

Just my 2 cents.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:Dataliant
ID: 22649842
The mail profiles that I am referring to are the individual Outlook profiles for the users.
The mail server is hosted and configured so we currently use POP.
So basically, I want to change my outgoing mail server settings in Outlook to, let's say 835 and I want the firewall to translate outbound traffic on port 835 to port 25 by the time it leaves.

This would be much easier if we had an Exchange server as I could apply the IP Sec policy to the OU containing all of the workstations and exclude the server but the client cannot afford an upgrade at this time.

Also, in case you guys are wondering. The reason I am using IP Sec to block outbound SMTP (port 25 )traffic is because I need to block it at the workstation level. To prevent smtp blasts. And it's more manageable, as I can apply it to certain workstations.


0
 
LVL 1

Author Comment

by:Dataliant
ID: 22649885
==== Reply to Jay ====
You are absolutely correct. And I would love to do that. Unfortunately though, we use hosted email. I have to change the smtp ports in Outlook on the workstations to another port and have the firewall translate to port 25.
Thanks for your intel though!
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 22650553
Okay, if that is the case, you still don't need to do ipsec, do the following;

Assuming your external hosted mail server ip is x.x.x.x

static(outside,inside) tcp x.x.x.x 835 x.x.x.x 25 netmask 255.255.255.255

Then configure all the outlook profiles to connect to 835.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:Dataliant
ID: 22652611
That's exactly what I was looking for! Thanks rsivanandan!

The IP Sec policy blocks traffic on 25 from the workstations so if one of them catches the package I dont have to worry about a spam bot blasting out 1500 emails a minute and getting us blacklisted.  

After testing the statement and changing the ports on the Outlook clients everything works great! Good work!
0
 
LVL 1

Author Closing Comment

by:Dataliant
ID: 31502924
Thanks again!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 22656159
My Pleasure.

Cheers,
Rajesh
0

Featured Post

Why You Need a DevOps Toolchain

IT needs to deliver services with more agility and velocity. IT must roll out application features and innovations faster to keep up with customer demands, which is where a DevOps toolchain steps in. View the infographic to see why you need a DevOps toolchain.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question