Solved

Need to block SMTP from all internal sources except my Exchange server - ASA5520

Posted on 2009-04-09
10
803 Views
Last Modified: 2012-05-06
We recently installed an ASA 5520. I am currently blacklisted as I have an internal spamming source. I need to block all outgoing mail except from my mail server
0
Comment
Question by:jamesbehrens1
  • 5
  • 5
10 Comments
 
LVL 11

Expert Comment

by:rvthost
ID: 24109621
access-list InsideACL extended permit tcp host x.x.x.x any eq smtp (where x.x.x.x is the ip of your mail server)
access-list Inside ACL extended deny tcp any any eq smtp
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24109660
0
 

Author Comment

by:jamesbehrens1
ID: 24109790
this is going to sound rather lame. We had a contractor configure this device. My only access right now is the ASDM. I believe I need to reset the enable_15 password as the enable password is not what we would normally use.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Expert Comment

by:rvthost
ID: 24109817
That doesn't sound fun :)

I have never had to do this, but here is the procedure:

http://www.cisco.com/en/US/products/ps6120/prod_password_recoveries_list.html
0
 

Author Comment

by:jamesbehrens1
ID: 24110265
resetting the password was actually very easy using the ASDM. Unfortunately, the rest of the interface is a little confusing.

The blacklist is making troubleshooting rather difficult. Gmail is playing along at the moment and with your provided statement both incoming and outgoing appear to be working. I have no idea how to tell on this interface whether sources other than my mail server are able to send.

Any idea?
0
 

Author Comment

by:jamesbehrens1
ID: 24111420
We've managed to clear the blacklist but if my testing is right, it won't be for long. I can still send email from my Ubuntu server even though I do not have an explicit permit statement for that IP address.

I can't seem to set up a span session for the swiitch port that the ASA is connected to. Each time I do, my connection to my destination port dies. I'm afraid we are still in trouble.
0
 

Author Comment

by:jamesbehrens1
ID: 24112598
I thought I had found my issue... but no. This is a trucated section of my access lists. I managed to get the access lists described above through the ASDM. That way it's still configurable through ASDM.

access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit tcp host 172.20.10.9 any eq smtp
access-list Inside_access_in extended deny tcp any any eq smtp
access-list Outside_access_in extended permit tcp any host 70.167.199.77 eq smtp

my access groups look like this
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside

It still lets my Ubuntu test server send SMTP right out even though there is not explicit rule letting it do so. Do you think it might be the default IP any any statement that is letting that happen?
0
 
LVL 11

Accepted Solution

by:
rvthost earned 500 total points
ID: 24112897
Yeah, put that line in at the end and that should do it.
0
 

Author Comment

by:jamesbehrens1
ID: 24120151
Excellent!! hitcount=2! That worked perfectly. In the ASDM, delete the default IP any any statement and reenter it. It adds it again as rule #3 instead of rule 1. That did the trick

I can't thank you enough.
0
 
LVL 11

Expert Comment

by:rvthost
ID: 24120173
Great to hear!!  Thanks.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question