?
Solved

Need to block SMTP from all internal sources except my Exchange server - ASA5520

Posted on 2009-04-09
10
Medium Priority
?
811 Views
Last Modified: 2012-05-06
We recently installed an ASA 5520. I am currently blacklisted as I have an internal spamming source. I need to block all outgoing mail except from my mail server
0
Comment
Question by:jamesbehrens1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 11

Expert Comment

by:rvthost
ID: 24109621
access-list InsideACL extended permit tcp host x.x.x.x any eq smtp (where x.x.x.x is the ip of your mail server)
access-list Inside ACL extended deny tcp any any eq smtp
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24109660
0
 

Author Comment

by:jamesbehrens1
ID: 24109790
this is going to sound rather lame. We had a contractor configure this device. My only access right now is the ASDM. I believe I need to reset the enable_15 password as the enable password is not what we would normally use.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 11

Expert Comment

by:rvthost
ID: 24109817
That doesn't sound fun :)

I have never had to do this, but here is the procedure:

http://www.cisco.com/en/US/products/ps6120/prod_password_recoveries_list.html
0
 

Author Comment

by:jamesbehrens1
ID: 24110265
resetting the password was actually very easy using the ASDM. Unfortunately, the rest of the interface is a little confusing.

The blacklist is making troubleshooting rather difficult. Gmail is playing along at the moment and with your provided statement both incoming and outgoing appear to be working. I have no idea how to tell on this interface whether sources other than my mail server are able to send.

Any idea?
0
 

Author Comment

by:jamesbehrens1
ID: 24111420
We've managed to clear the blacklist but if my testing is right, it won't be for long. I can still send email from my Ubuntu server even though I do not have an explicit permit statement for that IP address.

I can't seem to set up a span session for the swiitch port that the ASA is connected to. Each time I do, my connection to my destination port dies. I'm afraid we are still in trouble.
0
 

Author Comment

by:jamesbehrens1
ID: 24112598
I thought I had found my issue... but no. This is a trucated section of my access lists. I managed to get the access lists described above through the ASDM. That way it's still configurable through ASDM.

access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit tcp host 172.20.10.9 any eq smtp
access-list Inside_access_in extended deny tcp any any eq smtp
access-list Outside_access_in extended permit tcp any host 70.167.199.77 eq smtp

my access groups look like this
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside

It still lets my Ubuntu test server send SMTP right out even though there is not explicit rule letting it do so. Do you think it might be the default IP any any statement that is letting that happen?
0
 
LVL 11

Accepted Solution

by:
rvthost earned 2000 total points
ID: 24112897
Yeah, put that line in at the end and that should do it.
0
 

Author Comment

by:jamesbehrens1
ID: 24120151
Excellent!! hitcount=2! That worked perfectly. In the ASDM, delete the default IP any any statement and reenter it. It adds it again as rule #3 instead of rule 1. That did the trick

I can't thank you enough.
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24120173
Great to hear!!  Thanks.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question