Cisco Pix Outbound ACL

Posted on 2009-02-12
Last Modified: 2012-05-06
I am getting ready to implement an outbound access control list on our Cisco Pix 506e.  Our only real concern right now is blocking smtp traffic originating from any internal host other then a mail server.  I have added a few other explicit permits just to get some counts.

I need to allow SMTP traffic from the servers with ip addresses,

These are the commands I am planning to run to create the ACL and activate it.  Let me know if you see anything wrong or have a suggested improvement.

access-list outbound permit tcp any eq www
access-list outbound permit tcp any eq https
access-list outbound permit tcp any eq smtp
access-list outbound permit tcp any eq smtp
access-list outbound deny tcp any eq smtp
access-list outbound permit ip any any

access-group outbound in interface inside
Question by:VickreyAdmin
    LVL 43

    Accepted Solution

    That will do it.  The top two lines aren't necessary as the permit ip any any will allow it but I'm assuming these are the lines you want counter statistics from.
    LVL 1

    Author Closing Comment

    Yes the top 2 lines are just for counters.  I will add more later.  Thanks for checking this for me.  My network runs 24/7 and I could not afford to make incorrect changes to the production firewall.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now