dschef
asked on
Restrict SMTP port 25 (inbound mail) to specific source ip range - PIX 506E
I want to restrict inbound mail to my Exchange server (10.0.0.10) so that only mail from our Postini mail filter service can get through port 25. The Postini range is 64.18.0.0 - 64.18.240.0. My PIX ip address is 70.141.89.###. I've read a few existing Q&A's but I can't be sure how to apply the info directly to my situation.
Here's the section of my current PIX config that contains the access-list lines:
access-list outside_access_in permit tcp any host 70.141.89.### eq 123
access-list outside_access_in permit tcp any host 10.0.0.15 eq pptp
access-list outside_access_in permit tcp any interface outside eq pop3
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any host 70.141.89.### eq 15353
access-list outside_access_in permit tcp any host 70.141.89.### eq 37
access-list outside_access_in permit udp any host 10.0.0.15 eq 1723
access-list outside_access_in permit gre interface outside any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 70.141.89.### eq pptp
access-list outside_access_in permit gre any host 70.141.89.###
access-list outside_access_in permit tcp any interface outside eq imap4
access-list outside_access_in permit tcp any host 70.141.89.### eq smtp
access-list outside_access_in permit tcp any host 70.141.89.### eq www
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.50.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl remark VPNintoRoscoe
access-list inside_outbound_nat0_acl permit ip any interface outside
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.13.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list outside_cryptomap_240 permit ip 10.0.0.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list outside_cryptomap_100 permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list outside_cryptomap_140 permit ip 10.0.0.0 255.255.255.0 10.0.50.0 255.255.255.0
access-list outside_cryptomap_300 permit ip 10.0.0.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list outside_cryptomap_280 permit ip 10.0.0.0 255.255.255.0 10.0.13.0 255.255.255.0
pager lines 24
logging on
icmp permit any outside
icmp permit any inside
Can you help me create the list of commands that I need to enter into the running config?
THX
Mike
Here's the section of my current PIX config that contains the access-list lines:
access-list outside_access_in permit tcp any host 70.141.89.### eq 123
access-list outside_access_in permit tcp any host 10.0.0.15 eq pptp
access-list outside_access_in permit tcp any interface outside eq pop3
access-list outside_access_in permit tcp any interface outside eq https
access-list outside_access_in permit tcp any host 70.141.89.### eq 15353
access-list outside_access_in permit tcp any host 70.141.89.### eq 37
access-list outside_access_in permit udp any host 10.0.0.15 eq 1723
access-list outside_access_in permit gre interface outside any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any host 70.141.89.### eq pptp
access-list outside_access_in permit gre any host 70.141.89.###
access-list outside_access_in permit tcp any interface outside eq imap4
access-list outside_access_in permit tcp any host 70.141.89.### eq smtp
access-list outside_access_in permit tcp any host 70.141.89.### eq www
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.50.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.0
access-list inside_outbound_nat0_acl remark VPNintoRoscoe
access-list inside_outbound_nat0_acl permit ip any interface outside
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.13.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list outside_cryptomap_240 permit ip 10.0.0.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list outside_cryptomap_100 permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list outside_cryptomap_140 permit ip 10.0.0.0 255.255.255.0 10.0.50.0 255.255.255.0
access-list outside_cryptomap_300 permit ip 10.0.0.0 255.255.255.0 10.0.12.0 255.255.255.0
access-list outside_cryptomap_280 permit ip 10.0.0.0 255.255.255.0 10.0.13.0 255.255.255.0
pager lines 24
logging on
icmp permit any outside
icmp permit any inside
Can you help me create the list of commands that I need to enter into the running config?
THX
Mike
Oops - forgot the 'eq' on the second line - sorry!
access-list outside_access_in permit tcp any any eq 25
access-list outside_access_in permit tcp any any eq 25
ASKER
Thanks for the quick response.
Here are a few lines that I interpreted from previous reading:
no access-list outside_access_in
<Reapply the initial entries>
access-list outside_access_in permit tcp any host 70.141.89.x eq www
access-list outside_access_in deny ip any host 70.141.89.x
<allow incoming mail from the Postini ip range>
access-list outside_access_in permit tcp 64.18.0.0 255.255.240.0 host 70.141.89.x eq smtp
<deny all other incoming mail>
access-list outside_access_in deny tcp any host 70.141.89.x eq smtp
access-list outside_access_in permit ip any any
<reapply the access-list to the interface>
access-group outside_access_in in interface outside
As you can see, there are some differences and I'm a bit uneasy making the change because it affects over 200 users.
What do you think?
Here are a few lines that I interpreted from previous reading:
no access-list outside_access_in
<Reapply the initial entries>
access-list outside_access_in permit tcp any host 70.141.89.x eq www
access-list outside_access_in deny ip any host 70.141.89.x
<allow incoming mail from the Postini ip range>
access-list outside_access_in permit tcp 64.18.0.0 255.255.240.0 host 70.141.89.x eq smtp
<deny all other incoming mail>
access-list outside_access_in deny tcp any host 70.141.89.x eq smtp
access-list outside_access_in permit ip any any
<reapply the access-list to the interface>
access-group outside_access_in in interface outside
As you can see, there are some differences and I'm a bit uneasy making the change because it affects over 200 users.
What do you think?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good answer(s) - easy for me to follow and understand.
I made the entries, tested inbound mail from three different sources. and all is good.
Thanks, Mike
I made the entries, tested inbound mail from three different sources. and all is good.
Thanks, Mike
access-list outside_access_in permit tcp 64.18.0.0 255.255.240.0 host 70.141.89.x eq 25
access-list outside_access_in permit tcp any any 25
The first line allows SMTP only from Postini's range which I verified to only your mail server at 70.141.89.x.
The second line will block all other SMTP connections. You can add the word 'log' at the end if you would like to receive a log notification any time a SMTP connection is blocked from a non-Postini source.
Hope this helps...
Mike