Solved

Cisco ASA 5505 block outbound SMTP from all addresses except mail server

Posted on 2009-05-18
9
2,753 Views
Last Modified: 2012-05-07
Hi All

I am trying to locate code that will prevent SMTP going outside the firewall except from my mail sevrers IP. Incase any PC's get any malware and start sending as we have been put on some blacklists and I can't think why.

Cheers

Arm

0
Comment
Question by:ArmstrongInt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24410530
you should apply an access-list on your inside/dmz in inbound direction and determine which traffic should be permitted.depending on your internal structure it could be bit more effort to make it work as supposed to. if you'd like to apply only this policy and leave your configuration intact as possible you should do something like this:

access-list acl-inside deny tcp  <inside_range> <netmask> any eq smtp
access-list acl-inside permit ip any any
access-group acl-inside in interface inside
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24410658
Thanks Egypto co

So line 2 will override the deny in the first line ?

for example assuming my exchange box is 172.16.100.24

access-list acl_inside extended deny tcp 172.16.100.0 255.255.252.0 any eq smtp
access-list acl-inside extended permit 172.16.100.24 any any
access-group acl-inside in interface inside

Thanks

Arm
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24411121
no, the access list is read from top to bottom. you need the last line to allow all other traffic from your inside, because every access-list has explicit deny at the end so thats why we need to put permit all (if you don't apply access-list on the inside interface the default behaviour is to allow all outgoing traffic but it changes pretty much after you go more restrictive by applying intern security policy). and of course you can be more granular and configure only specific hosts and protocol to be permitted and leave the explicit deny, but it is more costly and you should take under consideration lot more stuffs like defining exact internal security policies.

access-list acl_inside extenden permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny any any eq smtp
access-list acl_inside extenden permit ip any any
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24419578
Thanks

However it didn't like the second line, so all out bound traffic was blocked. So I had to revert.

Any other ideas.

Thanks

Arm

0
 
LVL 7

Expert Comment

by:egyptco
ID: 24419894
the second line denies only smtp outbound traffic, which is not permitted after evaluating the first line. and than the 3d allows all other outbound traffic. it should do exactly what you wanted to- control only smtp outbound, permitting such from your server only. the rest traffic is intact by this access-list
 i found a  small syntax mistake but i guess you've already figured it out. i'm missing the "tcp" in the line.
 
 access-list acl_inside extended tcp deny any any eq smtp
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24429461
Hi Egyptco.

Thanks I tried that

access-list acl_inside extended permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit tcp any any
access-group acl_inside in interface inside

However as soon as I apply that last line it completly denys all traffic leaving the network (VOIP phones, web browsing etc).

I tried several time and reloaded the ASA and the same result.

Is there an alternative do you think ?

Thanks again

Arm

0
 
LVL 7

Accepted Solution

by:
egyptco earned 250 total points
ID: 24430619
you permit only tcp traffic with your last line. you should permit all ip traffic

access-list acl_inside extended permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit ip any any
access-group acl_inside in interface inside
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24490847
Hi Egyptco

Sorry I have been away, I will try this tonight and let you know how I get on.

Thanks again

Arm
0
 
LVL 1

Author Closing Comment

by:ArmstrongInt
ID: 31582515
Worked a treat, thank you
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question