Solved

Cisco ASA 5505 block outbound SMTP from all addresses except mail server

Posted on 2009-05-18
9
2,744 Views
Last Modified: 2012-05-07
Hi All

I am trying to locate code that will prevent SMTP going outside the firewall except from my mail sevrers IP. Incase any PC's get any malware and start sending as we have been put on some blacklists and I can't think why.

Cheers

Arm

0
Comment
Question by:ArmstrongInt
  • 5
  • 4
9 Comments
 
LVL 7

Expert Comment

by:egyptco
ID: 24410530
you should apply an access-list on your inside/dmz in inbound direction and determine which traffic should be permitted.depending on your internal structure it could be bit more effort to make it work as supposed to. if you'd like to apply only this policy and leave your configuration intact as possible you should do something like this:

access-list acl-inside deny tcp  <inside_range> <netmask> any eq smtp
access-list acl-inside permit ip any any
access-group acl-inside in interface inside
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24410658
Thanks Egypto co

So line 2 will override the deny in the first line ?

for example assuming my exchange box is 172.16.100.24

access-list acl_inside extended deny tcp 172.16.100.0 255.255.252.0 any eq smtp
access-list acl-inside extended permit 172.16.100.24 any any
access-group acl-inside in interface inside

Thanks

Arm
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24411121
no, the access list is read from top to bottom. you need the last line to allow all other traffic from your inside, because every access-list has explicit deny at the end so thats why we need to put permit all (if you don't apply access-list on the inside interface the default behaviour is to allow all outgoing traffic but it changes pretty much after you go more restrictive by applying intern security policy). and of course you can be more granular and configure only specific hosts and protocol to be permitted and leave the explicit deny, but it is more costly and you should take under consideration lot more stuffs like defining exact internal security policies.

access-list acl_inside extenden permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny any any eq smtp
access-list acl_inside extenden permit ip any any
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24419578
Thanks

However it didn't like the second line, so all out bound traffic was blocked. So I had to revert.

Any other ideas.

Thanks

Arm

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 7

Expert Comment

by:egyptco
ID: 24419894
the second line denies only smtp outbound traffic, which is not permitted after evaluating the first line. and than the 3d allows all other outbound traffic. it should do exactly what you wanted to- control only smtp outbound, permitting such from your server only. the rest traffic is intact by this access-list
 i found a  small syntax mistake but i guess you've already figured it out. i'm missing the "tcp" in the line.
 
 access-list acl_inside extended tcp deny any any eq smtp
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24429461
Hi Egyptco.

Thanks I tried that

access-list acl_inside extended permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit tcp any any
access-group acl_inside in interface inside

However as soon as I apply that last line it completly denys all traffic leaving the network (VOIP phones, web browsing etc).

I tried several time and reloaded the ASA and the same result.

Is there an alternative do you think ?

Thanks again

Arm

0
 
LVL 7

Accepted Solution

by:
egyptco earned 250 total points
ID: 24430619
you permit only tcp traffic with your last line. you should permit all ip traffic

access-list acl_inside extended permit tcp host 172.16.100.24 any eq smtp
access-list acl_inside extended deny tcp any any eq smtp
access-list acl_inside extended permit ip any any
access-group acl_inside in interface inside
0
 
LVL 1

Author Comment

by:ArmstrongInt
ID: 24490847
Hi Egyptco

Sorry I have been away, I will try this tonight and let you know how I get on.

Thanks again

Arm
0
 
LVL 1

Author Closing Comment

by:ArmstrongInt
ID: 31582515
Worked a treat, thank you
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now