Solved

Need to block SMTP from all internal sources except my Exchange server - ASA5520

Posted on 2009-04-09
10
801 Views
Last Modified: 2012-05-06
We recently installed an ASA 5520. I am currently blacklisted as I have an internal spamming source. I need to block all outgoing mail except from my mail server
0
Comment
Question by:jamesbehrens1
  • 5
  • 5
10 Comments
 
LVL 11

Expert Comment

by:rvthost
ID: 24109621
access-list InsideACL extended permit tcp host x.x.x.x any eq smtp (where x.x.x.x is the ip of your mail server)
access-list Inside ACL extended deny tcp any any eq smtp
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24109660
0
 

Author Comment

by:jamesbehrens1
ID: 24109790
this is going to sound rather lame. We had a contractor configure this device. My only access right now is the ASDM. I believe I need to reset the enable_15 password as the enable password is not what we would normally use.
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24109817
That doesn't sound fun :)

I have never had to do this, but here is the procedure:

http://www.cisco.com/en/US/products/ps6120/prod_password_recoveries_list.html
0
 

Author Comment

by:jamesbehrens1
ID: 24110265
resetting the password was actually very easy using the ASDM. Unfortunately, the rest of the interface is a little confusing.

The blacklist is making troubleshooting rather difficult. Gmail is playing along at the moment and with your provided statement both incoming and outgoing appear to be working. I have no idea how to tell on this interface whether sources other than my mail server are able to send.

Any idea?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jamesbehrens1
ID: 24111420
We've managed to clear the blacklist but if my testing is right, it won't be for long. I can still send email from my Ubuntu server even though I do not have an explicit permit statement for that IP address.

I can't seem to set up a span session for the swiitch port that the ASA is connected to. Each time I do, my connection to my destination port dies. I'm afraid we are still in trouble.
0
 

Author Comment

by:jamesbehrens1
ID: 24112598
I thought I had found my issue... but no. This is a trucated section of my access lists. I managed to get the access lists described above through the ASDM. That way it's still configurable through ASDM.

access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit tcp host 172.20.10.9 any eq smtp
access-list Inside_access_in extended deny tcp any any eq smtp
access-list Outside_access_in extended permit tcp any host 70.167.199.77 eq smtp

my access groups look like this
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside

It still lets my Ubuntu test server send SMTP right out even though there is not explicit rule letting it do so. Do you think it might be the default IP any any statement that is letting that happen?
0
 
LVL 11

Accepted Solution

by:
rvthost earned 500 total points
ID: 24112897
Yeah, put that line in at the end and that should do it.
0
 

Author Comment

by:jamesbehrens1
ID: 24120151
Excellent!! hitcount=2! That worked perfectly. In the ASDM, delete the default IP any any statement and reenter it. It adds it again as rule #3 instead of rule 1. That did the trick

I can't thank you enough.
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24120173
Great to hear!!  Thanks.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now