Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Need to block SMTP from all internal sources except my Exchange server - ASA5520

Posted on 2009-04-09
10
Medium Priority
?
815 Views
Last Modified: 2012-05-06
We recently installed an ASA 5520. I am currently blacklisted as I have an internal spamming source. I need to block all outgoing mail except from my mail server
0
Comment
Question by:jamesbehrens1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 11

Expert Comment

by:rvthost
ID: 24109621
access-list InsideACL extended permit tcp host x.x.x.x any eq smtp (where x.x.x.x is the ip of your mail server)
access-list Inside ACL extended deny tcp any any eq smtp
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24109660
0
 

Author Comment

by:jamesbehrens1
ID: 24109790
this is going to sound rather lame. We had a contractor configure this device. My only access right now is the ASDM. I believe I need to reset the enable_15 password as the enable password is not what we would normally use.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:rvthost
ID: 24109817
That doesn't sound fun :)

I have never had to do this, but here is the procedure:

http://www.cisco.com/en/US/products/ps6120/prod_password_recoveries_list.html
0
 

Author Comment

by:jamesbehrens1
ID: 24110265
resetting the password was actually very easy using the ASDM. Unfortunately, the rest of the interface is a little confusing.

The blacklist is making troubleshooting rather difficult. Gmail is playing along at the moment and with your provided statement both incoming and outgoing appear to be working. I have no idea how to tell on this interface whether sources other than my mail server are able to send.

Any idea?
0
 

Author Comment

by:jamesbehrens1
ID: 24111420
We've managed to clear the blacklist but if my testing is right, it won't be for long. I can still send email from my Ubuntu server even though I do not have an explicit permit statement for that IP address.

I can't seem to set up a span session for the swiitch port that the ASA is connected to. Each time I do, my connection to my destination port dies. I'm afraid we are still in trouble.
0
 

Author Comment

by:jamesbehrens1
ID: 24112598
I thought I had found my issue... but no. This is a trucated section of my access lists. I managed to get the access lists described above through the ASDM. That way it's still configurable through ASDM.

access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit tcp host 172.20.10.9 any eq smtp
access-list Inside_access_in extended deny tcp any any eq smtp
access-list Outside_access_in extended permit tcp any host 70.167.199.77 eq smtp

my access groups look like this
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside

It still lets my Ubuntu test server send SMTP right out even though there is not explicit rule letting it do so. Do you think it might be the default IP any any statement that is letting that happen?
0
 
LVL 11

Accepted Solution

by:
rvthost earned 2000 total points
ID: 24112897
Yeah, put that line in at the end and that should do it.
0
 

Author Comment

by:jamesbehrens1
ID: 24120151
Excellent!! hitcount=2! That worked perfectly. In the ASDM, delete the default IP any any statement and reenter it. It adds it again as rule #3 instead of rule 1. That did the trick

I can't thank you enough.
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24120173
Great to hear!!  Thanks.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question