Solved

Cisco ASA 5505 block outbound SMTP from all addresses except mail server

Posted on 2009-05-18
9
2,747 Views
Last Modified: 2012-05-07
Hi All

I am trying to locate code that will prevent SMTP going outside the firewall except from my mail sevrers IP. Incase any PC's get any malware and start sending as we have been put on some blacklists and I can't think why.

Cheers

Arm

0
Comment
Question by:ArmstrongInt
  • 5
  • 4
9 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24410530
you should apply an access-list on your inside/dmz in inbound direction and determine which traffic should be permitted.depending on your internal structure it could be bit more effort to make it work as supposed to. if you'd like to apply only this policy and leave your configuration intact as possible you should do something like this:

access-list acl-inside deny tcp  <inside_range> <netmask> any eq smtp
access-list acl-inside permit ip any any
access-group acl-inside in interface inside
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24410658
Thanks Egypto co

So line 2 will override the deny in the first line ?

for example assuming my exchange box is 172.16.100.24

access-list acl_inside extended deny tcp 172.16.100.0 255.255.252.0 any eq smtp
access-list acl-inside extended permit 172.16.100.24 any any
access-group acl-inside in interface inside

Thanks

Arm
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24411121
no, the access list is read from top to bottom. you need the last line to allow all other traffic from your inside, because every access-list has explicit deny at the end so thats why we need to put permit all (if you don't apply access-list on the inside interface the default behaviour is to allow all outgoing traffic but it changes pretty much after you go more restrictive by applying intern security policy). and of course you can be more granular and configure only specific hosts and protocol to be permitted and leave the explicit deny, but it is more costly and you should take under consideration lot more stuffs like defining exact internal security policies.

access-list acl_inside extenden permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny any any eq smtp
access-list acl_inside extenden permit ip any any
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24419578
Thanks

However it didn't like the second line, so all out bound traffic was blocked. So I had to revert.

Any other ideas.

Thanks

Arm

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Expert Comment

by:egyptco
ID: 24419894
the second line denies only smtp outbound traffic, which is not permitted after evaluating the first line. and than the 3d allows all other outbound traffic. it should do exactly what you wanted to- control only smtp outbound, permitting such from your server only. the rest traffic is intact by this access-list
 i found a  small syntax mistake but i guess you've already figured it out. i'm missing the "tcp" in the line.
 
 access-list acl_inside extended tcp deny any any eq smtp
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24429461
Hi Egyptco.

Thanks I tried that

access-list acl_inside extended permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit tcp any any
access-group acl_inside in interface inside

However as soon as I apply that last line it completly denys all traffic leaving the network (VOIP phones, web browsing etc).

I tried several time and reloaded the ASA and the same result.

Is there an alternative do you think ?

Thanks again

Arm

0
 
LVL 7

Accepted Solution

by:
egyptco earned 250 total points
ID: 24430619
you permit only tcp traffic with your last line. you should permit all ip traffic

access-list acl_inside extended permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit ip any any
access-group acl_inside in interface inside
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24490847
Hi Egyptco

Sorry I have been away, I will try this tonight and let you know how I get on.

Thanks again

Arm
0
 
LVL 1

Author Closing Comment

by:ArmstrongInt
ID: 31582515
Worked a treat, thank you
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now