Cisco Pix Outbound ACL

I am getting ready to implement an outbound access control list on our Cisco Pix 506e.  Our only real concern right now is blocking smtp traffic originating from any internal host other then a mail server.  I have added a few other explicit permits just to get some counts.

I need to allow SMTP traffic from the servers with ip addresses 192.168.1.20, 192.168.1.10.

These are the commands I am planning to run to create the ACL and activate it.  Let me know if you see anything wrong or have a suggested improvement.

access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list outbound permit tcp 192.168.1.10 255.255.255.255 any eq smtp
access-list outbound permit tcp 192.168.1.20 255.255.255.255 any eq smtp
access-list outbound deny tcp 192.168.1.0 255.255.255.0 any eq smtp
access-list outbound permit ip any any

access-group outbound in interface inside
LVL 1
VickreyAdminAsked:
Who is Participating?
 
JFrederick29Commented:
That will do it.  The top two lines aren't necessary as the permit ip any any will allow it but I'm assuming these are the lines you want counter statistics from.
0
 
VickreyAdminAuthor Commented:
Yes the top 2 lines are just for counters.  I will add more later.  Thanks for checking this for me.  My network runs 24/7 and I could not afford to make incorrect changes to the production firewall.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.