PIX 501 blocking outgoing smtp

Jonnie79
Jonnie79 used Ask the Experts™
on
Hi Guys
I have been reading on this site some information about blocking outgoing smtp traffic apart from a mail server but just want to run the PIX501 config past you to make sure.

History is the PIX501 has been in operation for about 5 years but it seems now someone is sending out SPAM so while we isolate the particular PC we want to block all outgoing traffic on port 25 apart from the mail server.

The network layout is:
Exchange server 10.16.4.2
PIX Inside IP 10.16.2.1
PIX outside IP 172.15.2.1
ADSL Router 172.15.1.1

The parts of the config on the router I think are relevant are:

access-list 101 permit tcp any host 172.15.2.1 eq smtp

ip address outside 172.15.2.1 255.255.0.0
ip address inside 10.16.2.1 255.255.0.0

static (inside,outside) tcp interface smtp 10.16.4.2 smtp netmask 255.255.255.255 0 0

access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 172.15.1.1 1
route inside 10.17.0.0 255.255.0.0 10.16.1.3 1

Where I am concerned is everything I read on this site about blocking has the access-group 101 on interface 'inside' - where I have it 'outside' - does this matter?

Do you need any more configuration information?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ok, you need to block any smtp connection to outside world other that 10.16.4.2 and 172.15.2.1?

you can set access-group in inside itself

access-list 102 permit tcp host 10.16.4.2 any eq smtp
access-list 102 permit tcp host 172.15.2.1 any eq smtp
 access-list 102 deny tcp inside_network subnet mask any eq smtp
 access-list 102 permit ip any any

access-group 102 in interface inside

let me know?


Author

Commented:
Hmm, was attempting adding that config it seems to get stuck at the:
access-list 102 deny tcp inside_network subnet mask any eq smtp

It is running PIX version 6.2(2)
Does that matter?

Author

Commented:
I cannot seem to edit my previous comment but the error is:
Invalid IP address inside_network
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

for example:

access-list 102 deny tcp 10.17.0.0 255.255.0.0 any eq smtp


Commented:
Hi

What the first poster is saying is to use your inside network and subnet mask:
As you may another subnet (10.17.0.0) you can individually deny them or deny all.  Also - you don't need to permit 172.15.2.1 from inside as its not on your LAN.

To allow smtp from exchange server and stipulate that you don't do it from anywhere else:

conf t
no access-group 102 in interface inside
no access-list 102
access-list 102 permit tcp host 10.16.4.2 any eq smtp
access-list 102 deny tcp 10.16.0.0 255.255.0.0 any eq smtp
access-list 102 deny tcp 10.17.0.0 255.255.0.0 any eq smtp
access-list 102 permit ip any any

access-group 102 in interface inside

You can add further subnets to the deny list if you have any others.

cheers

Commented:
:-)  nice timing

Author

Commented:
Ok thanks for that, sometimes its really obvious and simple in front of your eyes  (ip and subnet) but you dont see it...! :)
Will add the config and check it
Yes, Jonnie79, these previous responses are correct. You gave us all the info for inbound SMTP from the internet. But what you want is to block outbound SMTP from anything except your Mail server. So, you need an ACL on your Inside interface that will filter Outbound SMTP.

Nodisco said to create an access-list (called 102 in this case but you can use a name if you like.):
 
access-list 102 permit tcp host 10.16.4.2 any eq smtp               /This allows inside email host to end smtp.
access-list 102 deny tcp 10.16.0.0 255.255.0.0 any eq smtp   /This prevents main inside from send smtp
access-list 102 deny tcp 10.17.0.0 255.255.0.0 any eq smtp /This prevents other inside net from sending
access-list 102 permit ip any any                                             /this allows all other protocols

access-group 102 in interface inside                                    /Applies acl 102 to inside interface.

The two above have given solid advice.

Author

Commented:
Thanks for all your help so far guys.
Think we are almost there.
The lines on the PIX at the moment are:
 
access-list 102 permit tcp host 10.16.4.2 any eq smtp
access-list 102 deny tcp 10.16.0.0 255.255.0.0 any eq smtp
access-list 102 permit ip any any

All the workstations inside have IP's 10.16.6.*
If I go to www.canyouseeme.org from a workstation and type in port 25 they can still be seen, so what I am doing wrong?

Commented:
Hi

When you go outside, you are being natted to an external ip (its not displayed in what you have posted)  This site checks to see if smtp is allowed back in to the public ip address you are translated to.  I'd be willing to bet you are natting your inside to the same ip address as the pix and accordingly yes, this is where smtp comes back in to.  This is not the same thing as allowing smtp outbound - this is inbound.

To confirm - please post your nat and global statements:
cheers

Author

Commented:
I think I understand what your saying, the website looks back after the request from the workstation but the PIX routes to the Exchange server which of course allows port 25?
Sounds logical :)
Because of this line?:
static (inside, outside) tcp interface smtp 10.16.4.2 smtp netmask 255.255.255.255 0 0

I think the info you are after is:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Commented:
Exactly :-)

Your outgoing ip is the same as the smtp incoming ip for the firewall.

Author

Commented:
OK, well that sounds good, except that I cannot test from a workstation...

Commented:
Well you could test if you had an outgoing smtp email client.

If you used outlook express and the outgoing email was using port 25 - just try and send an email.  After trying, logon to the pix and type

sh access-list 102

It should show a hitcnt on the line
access-list 102 deny tcp 10.16.0.0 255.255.0.0 any eq smtp

Author

Commented:
Awesome

Ok, think I am good to go!

Thanks for all your help, I am not 100% sure how to allocate points but I am going to try and allocate 50/50 to yashinchalad for responding quickly and getting me on the right track and nodisco for all his assistance thereafter :)

Thanks again

Commented:
welcome mate

Commented:
This actually helped me a lot!  Thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial