Link to home
Start Free TrialLog in
Avatar of ArmstrongInt
ArmstrongInt

asked on

Cisco ASA 5505 block outbound SMTP from all addresses except mail server

Hi All

I am trying to locate code that will prevent SMTP going outside the firewall except from my mail sevrers IP. Incase any PC's get any malware and start sending as we have been put on some blacklists and I can't think why.

Cheers

Arm

Avatar of egyptco
egyptco
Flag of Austria image

you should apply an access-list on your inside/dmz in inbound direction and determine which traffic should be permitted.depending on your internal structure it could be bit more effort to make it work as supposed to. if you'd like to apply only this policy and leave your configuration intact as possible you should do something like this:

access-list acl-inside deny tcp  <inside_range> <netmask> any eq smtp
access-list acl-inside permit ip any any
access-group acl-inside in interface inside
Avatar of ArmstrongInt
ArmstrongInt

ASKER

Thanks Egypto co

So line 2 will override the deny in the first line ?

for example assuming my exchange box is 172.16.100.24

access-list acl_inside extended deny tcp 172.16.100.0 255.255.252.0 any eq smtp
access-list acl-inside extended permit 172.16.100.24 any any
access-group acl-inside in interface inside

Thanks

Arm
no, the access list is read from top to bottom. you need the last line to allow all other traffic from your inside, because every access-list has explicit deny at the end so thats why we need to put permit all (if you don't apply access-list on the inside interface the default behaviour is to allow all outgoing traffic but it changes pretty much after you go more restrictive by applying intern security policy). and of course you can be more granular and configure only specific hosts and protocol to be permitted and leave the explicit deny, but it is more costly and you should take under consideration lot more stuffs like defining exact internal security policies.

access-list acl_inside extenden permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny any any eq smtp
access-list acl_inside extenden permit ip any any
Thanks

However it didn't like the second line, so all out bound traffic was blocked. So I had to revert.

Any other ideas.

Thanks

Arm

the second line denies only smtp outbound traffic, which is not permitted after evaluating the first line. and than the 3d allows all other outbound traffic. it should do exactly what you wanted to- control only smtp outbound, permitting such from your server only. the rest traffic is intact by this access-list
 i found a  small syntax mistake but i guess you've already figured it out. i'm missing the "tcp" in the line.
 
 access-list acl_inside extended tcp deny any any eq smtp
Hi Egyptco.

Thanks I tried that

access-list acl_inside extended permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit tcp any any
access-group acl_inside in interface inside

However as soon as I apply that last line it completly denys all traffic leaving the network (VOIP phones, web browsing etc).

I tried several time and reloaded the ASA and the same result.

Is there an alternative do you think ?

Thanks again

Arm

ASKER CERTIFIED SOLUTION
Avatar of egyptco
egyptco
Flag of Austria image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Egyptco

Sorry I have been away, I will try this tonight and let you know how I get on.

Thanks again

Arm
Worked a treat, thank you