Cisco ASA Rules for SMTP outbound

See My website here http://www.petenetlive.com/KB/Article/0000172.htm

Im guessing you just need to add

access-list acl_outbound line 4 extended deny tcp any any eq smtp

to be sure issue the following

show access-group

command

as long as it says

access-group acl_outbound in interface inside


then that will do the trick :)

in fact LOL you already have that line 4!! - just make sure the acl is applied with an access-group command :)

what does line 4 mean?  I just need to add that line and nothing else?

start over.  What exactly do i need to add?  do i need to redo anything?

access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp

the above is what you already have.... now what you need to add is

---access-list acl_outbound extended permit ip any any
(make sure this is there otherwise all your ip traffic from inside to outside will be implicitly denied)

and

---access-group acl_outbound in interface inside

i made those changes and here is my config now.  Please check it to see if anything besides my mail server can transmit outbound.  I have some spam bot i can't find and we are getting blacklisted.  



User Access Verification

Password:
Type help or '?' for a list of available commands.
HoustonASA> en
Password: *******
HoustonASA# config t
HoustonASA(config)# access-list acl_outbound extended permit ip any any
HoustonASA(config)# access-group acl_outbound in interface inside
HoustonASA(config)# wr mem
Building configuration...
Cryptochecksum: 2f36f2c7 dc9f244f 5b1ac168 a5ed04fa

9110 bytes copied in 3.700 secs (3036 bytes/sec)
[OK]
HoustonASA(config)# sh config
: Saved
: Written by enable_15 at 05:41:13.635 UTC Fri Sep 10 2010
!
ASA Version 7.0(8)
!
hostname HoustonASA
domain-name cottonrestorationinc.com
enable password TaR7pFaimyVPdvK7 encrypted
passwd TaR7pFaimyVPdvK7 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 204.95.141.154 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any interface outside eq https
access-list out extended permit tcp any interface outside eq 8000
access-list out extended permit tcp any host 204.95.141.155 eq https
access-list out extended permit tcp any host 204.95.141.156 eq www
access-list out extended permit tcp any host 204.95.141.156 eq https
access-list out extended permit tcp any host 204.95.141.157 eq ssh
access-list out extended permit tcp any host 204.95.141.157 eq www
access-list out extended permit tcp any host 204.95.141.157 eq https
access-list out extended permit tcp any host 204.95.141.158 eq ssh
access-list out extended permit tcp any host 204.95.141.158 eq www
access-list out extended permit tcp any host 204.95.141.158 eq https
access-list out extended permit tcp any interface outside eq 3389
access-list out extended permit tcp any interface outside eq smtp
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 172.31.1.0 255.255
.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list split-tunnel standard permit 172.17.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 10.1.1.0 255.255.255.0
access-list split-tunnel standard permit 10.1.2.0 255.255.255.0
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp
access-list acl_outbound extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cotton 172.31.1.1-172.31.1.254 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 172.17.2.26 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 8000 172.17.2.26 8000 netmask 255.255.255.
255
static (inside,outside) tcp 204.95.141.155 https 172.17.2.37 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.157 ssh 172.17.2.42 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 www 172.17.2.42 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 https 172.17.2.42 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.158 ssh 172.17.2.43 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 www 172.17.2.43 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 https 172.17.2.43 https netmask 255.2
55.255.255
static (inside,outside) tcp interface https 172.17.2.18 https netmask 255.255.25
5.255
static (inside,outside) tcp interface www 172.17.2.5 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 172.17.2.182 3389 netmask 255.255.255
.255
static (inside,outside) 204.95.141.156 10.1.1.248 netmask 255.255.255.255
static (inside,outside) 204.95.141.159 10.1.1.249 netmask 255.255.255.255
access-group out in interface outside
access-group acl_outbound in interface inside

perfect!!

thanks.  no anything about finding a spambot on a LAN

on a firewall?? yea.. maybe you can apply captures for smtp traffic on the inside interface of the firewall and any traffic coming from any ip other than your exchange should be of concern.

i'm a cisco dummy.  How do u do that and check the logs.

the asdm won't launch?  errrrrrr.  Anyway to check on command line?

you can do it on ASA buffer... put in these

logging buffered notification
show logging

it will show all the asa logs... you should be able to find the acl drops in that..

syslog is disabled.  dumb question but how to enable syslog and do i need to redo those rules?

i used the logging on command.  I'm getting some logs now.  Will i see a deny of smtp listed?  Also, what if i don't?  I need to identify my issue.  I am scanning my email server plus its not showing as an open relay

#logging enable ----> for syslogs

and yea you need to redo those access-list in the same order i have put
just to ensure log for that deny statement

i don't see anything in logs.  Anything i should be looking for?  i'm looking for anything that says smtp