Solved

Cisco ASA 5505 block outbound SMTP from all addresses except mail server

Posted on 2009-05-18
9
2,751 Views
Last Modified: 2012-05-07
Hi All

I am trying to locate code that will prevent SMTP going outside the firewall except from my mail sevrers IP. Incase any PC's get any malware and start sending as we have been put on some blacklists and I can't think why.

Cheers

Arm

0
Comment
Question by:ArmstrongInt
  • 5
  • 4
9 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24410530
you should apply an access-list on your inside/dmz in inbound direction and determine which traffic should be permitted.depending on your internal structure it could be bit more effort to make it work as supposed to. if you'd like to apply only this policy and leave your configuration intact as possible you should do something like this:

access-list acl-inside deny tcp  <inside_range> <netmask> any eq smtp
access-list acl-inside permit ip any any
access-group acl-inside in interface inside
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24410658
Thanks Egypto co

So line 2 will override the deny in the first line ?

for example assuming my exchange box is 172.16.100.24

access-list acl_inside extended deny tcp 172.16.100.0 255.255.252.0 any eq smtp
access-list acl-inside extended permit 172.16.100.24 any any
access-group acl-inside in interface inside

Thanks

Arm
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24411121
no, the access list is read from top to bottom. you need the last line to allow all other traffic from your inside, because every access-list has explicit deny at the end so thats why we need to put permit all (if you don't apply access-list on the inside interface the default behaviour is to allow all outgoing traffic but it changes pretty much after you go more restrictive by applying intern security policy). and of course you can be more granular and configure only specific hosts and protocol to be permitted and leave the explicit deny, but it is more costly and you should take under consideration lot more stuffs like defining exact internal security policies.

access-list acl_inside extenden permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny any any eq smtp
access-list acl_inside extenden permit ip any any
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24419578
Thanks

However it didn't like the second line, so all out bound traffic was blocked. So I had to revert.

Any other ideas.

Thanks

Arm

0
 
LVL 7

Expert Comment

by:egyptco
ID: 24419894
the second line denies only smtp outbound traffic, which is not permitted after evaluating the first line. and than the 3d allows all other outbound traffic. it should do exactly what you wanted to- control only smtp outbound, permitting such from your server only. the rest traffic is intact by this access-list
 i found a  small syntax mistake but i guess you've already figured it out. i'm missing the "tcp" in the line.
 
 access-list acl_inside extended tcp deny any any eq smtp
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24429461
Hi Egyptco.

Thanks I tried that

access-list acl_inside extended permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit tcp any any
access-group acl_inside in interface inside

However as soon as I apply that last line it completly denys all traffic leaving the network (VOIP phones, web browsing etc).

I tried several time and reloaded the ASA and the same result.

Is there an alternative do you think ?

Thanks again

Arm

0
 
LVL 7

Accepted Solution

by:
egyptco earned 250 total points
ID: 24430619
you permit only tcp traffic with your last line. you should permit all ip traffic

access-list acl_inside extended permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit ip any any
access-group acl_inside in interface inside
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24490847
Hi Egyptco

Sorry I have been away, I will try this tonight and let you know how I get on.

Thanks again

Arm
0
 
LVL 1

Author Closing Comment

by:ArmstrongInt
ID: 31582515
Worked a treat, thank you
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question