Solved

Need to block SMTP from all internal sources except my Exchange server - ASA5520

Posted on 2009-04-09
10
809 Views
Last Modified: 2012-05-06
We recently installed an ASA 5520. I am currently blacklisted as I have an internal spamming source. I need to block all outgoing mail except from my mail server
0
Comment
Question by:jamesbehrens1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 11

Expert Comment

by:rvthost
ID: 24109621
access-list InsideACL extended permit tcp host x.x.x.x any eq smtp (where x.x.x.x is the ip of your mail server)
access-list Inside ACL extended deny tcp any any eq smtp
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24109660
0
 

Author Comment

by:jamesbehrens1
ID: 24109790
this is going to sound rather lame. We had a contractor configure this device. My only access right now is the ASDM. I believe I need to reset the enable_15 password as the enable password is not what we would normally use.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 11

Expert Comment

by:rvthost
ID: 24109817
That doesn't sound fun :)

I have never had to do this, but here is the procedure:

http://www.cisco.com/en/US/products/ps6120/prod_password_recoveries_list.html
0
 

Author Comment

by:jamesbehrens1
ID: 24110265
resetting the password was actually very easy using the ASDM. Unfortunately, the rest of the interface is a little confusing.

The blacklist is making troubleshooting rather difficult. Gmail is playing along at the moment and with your provided statement both incoming and outgoing appear to be working. I have no idea how to tell on this interface whether sources other than my mail server are able to send.

Any idea?
0
 

Author Comment

by:jamesbehrens1
ID: 24111420
We've managed to clear the blacklist but if my testing is right, it won't be for long. I can still send email from my Ubuntu server even though I do not have an explicit permit statement for that IP address.

I can't seem to set up a span session for the swiitch port that the ASA is connected to. Each time I do, my connection to my destination port dies. I'm afraid we are still in trouble.
0
 

Author Comment

by:jamesbehrens1
ID: 24112598
I thought I had found my issue... but no. This is a trucated section of my access lists. I managed to get the access lists described above through the ASDM. That way it's still configurable through ASDM.

access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit tcp host 172.20.10.9 any eq smtp
access-list Inside_access_in extended deny tcp any any eq smtp
access-list Outside_access_in extended permit tcp any host 70.167.199.77 eq smtp

my access groups look like this
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside

It still lets my Ubuntu test server send SMTP right out even though there is not explicit rule letting it do so. Do you think it might be the default IP any any statement that is letting that happen?
0
 
LVL 11

Accepted Solution

by:
rvthost earned 500 total points
ID: 24112897
Yeah, put that line in at the end and that should do it.
0
 

Author Comment

by:jamesbehrens1
ID: 24120151
Excellent!! hitcount=2! That worked perfectly. In the ASDM, delete the default IP any any statement and reenter it. It adds it again as rule #3 instead of rule 1. That did the trick

I can't thank you enough.
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24120173
Great to hear!!  Thanks.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question