• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 385
  • Last Modified:

Configure Cisco Firewall to refuse traffic from port 25 except for specific IP from Postini

Hi, I need to make changes to the firewall to stop traffic to port 25 for email server and allow only for specific IP range from Positini. Using Cisco PIX Firewall Version 6.3(3)132.
Please let me know.
Thanks.
0
sreesun
Asked:
sreesun
  • 5
  • 4
  • 2
1 Solution
 
qbakiesCommented:
I will assume you already have a static NAT for your mail server and an ACL applied to the outside interface.  You just need to remove any current statements in the ACL that reference port 25 or your email server and then add a new statement for Postini.

x.x.x.x = your email server
y.y.y.y = Postini IP

no access-list EMAIL extended permit tcp any host x.x.x.x eq smtp
access-list EMAIL extended permit tcp host y.y.y.y host x.x.x.x eq smtp
0
 
sreesunAuthor Commented:
Thank you. I tried the below

access-list EMAIL extended permit tcp host 74.125.148.0 host 192.168.1.135 eq smtp

and got the error:

ERROR:<extended> not a valid permission

Checked the current setting in firewall and it was:
access-list acl-in permit tcp any gt 1023 host 192.168.1.135 eq smtp

So did the following:
no access-list acl-in permit tcp any gt 1023 host 192.168.1.135 eq smtp
access-list acl-in permit tcp host 74.125.148.0 host 192.168.1.135 eq smtp

And when tested, the emails stopped flowing and revered the changes. Please let me know if anything is wrong in the syntax.
0
 
qbakiesCommented:
is that the only statement in acl_in?  Can you post your config?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
sreesunAuthor Commented:
I have these in my config for acl-in:

access-list acl-in permit tcp any gt 1023 host 192.168.1.131 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.131 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.131 eq ftp
access-list acl-in permit tcp any gt 1023 host 192.168.1.133 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.133 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.134 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.134 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.135 eq pop3
access-list acl-in permit tcp any gt 1023 host 192.168.1.135 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.135 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.135 eq 1025
access-list acl-in permit tcp any gt 1023 host 192.168.1.135 eq smtp
access-list acl-in permit tcp any gt 1023 host 192.168.1.137 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.137 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.137 eq pop3
access-list acl-in permit tcp any gt 1023 host 192.168.1.137 eq 1025
access-list acl-in permit tcp any gt 1023 host 192.168.1.138 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.139 eq www
access-list acl-in permit tcp any host 192.168.1.139 eq domain
access-list acl-in permit udp any host 192.168.1.139 eq domain
access-list acl-in permit tcp any host 192.168.1.138 eq domain
access-list acl-in permit udp any host 192.168.1.138 eq domain
access-list acl-in permit icmp any any echo-reply
access-list acl-in permit icmp any any source-quench
access-list acl-in permit icmp any any time-exceeded
access-list acl-in permit tcp any gt 1023 host 192.168.1.142 eq www
access-list acl-in permit tcp any host 192.168.1.142 eq domain
access-list acl-in permit tcp any gt 1023 host 192.168.1.143 eq www
access-list acl-in permit tcp any host 192.168.1.143 eq domain
access-list acl-in permit tcp any gt 1023 host 192.168.1.143 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.132 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.132 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.140 eq ftp
access-list acl-in permit tcp any gt 1023 host 192.168.1.145 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.146 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.140 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.147 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.148 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.149 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.150 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.149 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.150 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.151 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.151 eq https
access-list acl-in permit tcp any gt 1023 host 192.168.1.152 eq www
access-list acl-in permit tcp any gt 1023 host 192.168.1.152 eq https
access-list acl_in permit tcp any any eq aol
0
 
Markus BraunCEOCommented:
access-list for the outside interface have no use unless you have a static statement
technically all you need is this

access-list INCOMING permit tcp (SOURCE IP) (INTERFACE or WAN IP) eq 25
and
static (inside,outside) tcp (INTERFACE or WAN IP)  smtp (LAN IP of EMAIL SERVER)  smtp netmask 255.255.255.255  dns

if you want the traffic to come in on your WAN interface IP, you type INTERFACE and not an IP address - just wanted to make that clear
0
 
sreesunAuthor Commented:
Still its not working. Please let me know of any other ways to allow traffic for port 25 only via postini ip address.
0
 
Markus BraunCEOCommented:
ok, you will have to post your config so i can tell you whats wrong with it - what i posted before is all you need
0
 
qbakiesCommented:
posting your config would help but if the other ACEs are working then you have to have a static NAT statement in place and the access-group assigned properly.  

Are you sure 74.125.148.0 is the correct IP?  Did they give you a subnet range that starts at this IP?  Using the keyword 'host' in the ACE is the same as entering 255.255.255.255 so only that specific IP is allowed in.  If they have a range subnet then you would need to allow it by putting in the subnet mask like this:

access-list acl-in permit tcp 74.125.148.0 255.255.255.248 host 192.168.1.135 eq smtp

That would allow 74.125.148.0/29 access to smtp
0
 
sreesunAuthor Commented:
Thank you.
Here are the IP addressed given by Postini:
IP range: 74.125.148.0 - 74.125.151.255
Subnet mask: 255.255.252.0

Also attached is the config file .

Please let me know the entires to be added and removed.
Firewall-03242010.txt
0
 
qbakiesCommented:
no access-list acl-in permit tcp any gt 1023 host 192.168.1.135 eq smtp
access-list acl-in permit tcp 74.125.148.0 255.255.252.0 host 192.168.1.135 eq smtp

0
 
sreesunAuthor Commented:
Thank you qbakies. The solution worked and emails are working after making the firewall changes.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now