Solved

Cisco ASA Rules for SMTP outbound

Posted on 2010-09-10
18
1,031 Views
Last Modified: 2013-11-30
I need to make sure that my firewall is correct to stop all outbound smtp traffic except for my Exchange server.  The IPs of the exchange server 172.17.2.35 - 37.  My configuration is below.

User Access Verification

Password:
Type help or '?' for a list of available commands.
HoustonASA> en
Password: *******
HoustonASA# conf t
HoustonASA(config)# access-list acl_outbound extended deny tcp any any eq smtp
HoustonASA(config)# wr mem
Building configuration...
Cryptochecksum: de6c5a0a 39d12220 5a8c827e db24d508

9011 bytes copied in 3.590 secs (3003 bytes/sec)
[OK]
HoustonASA(config)# sh config
: Saved
: Written by enable_15 at 05:00:56.598 UTC Fri Sep 10 2010
!
ASA Version 7.0(8)
!
hostname HoustonASA
domain-name cottonrestorationinc.com
enable password TaR7pFaimyVPdvK7 encrypted
passwd TaR7pFaimyVPdvK7 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 204.95.141.154 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any interface outside eq https
access-list out extended permit tcp any interface outside eq 8000
access-list out extended permit tcp any host 204.95.141.155 eq https
access-list out extended permit tcp any host 204.95.141.156 eq www
access-list out extended permit tcp any host 204.95.141.156 eq https
access-list out extended permit tcp any host 204.95.141.157 eq ssh
access-list out extended permit tcp any host 204.95.141.157 eq www
access-list out extended permit tcp any host 204.95.141.157 eq https
access-list out extended permit tcp any host 204.95.141.158 eq ssh
access-list out extended permit tcp any host 204.95.141.158 eq www
access-list out extended permit tcp any host 204.95.141.158 eq https
access-list out extended permit tcp any interface outside eq 3389
access-list out extended permit tcp any interface outside eq smtp
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 172.31.1.0 255.255
.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list split-tunnel standard permit 172.17.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 10.1.1.0 255.255.255.0
access-list split-tunnel standard permit 10.1.2.0 255.255.255.0
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cotton 172.31.1.1-172.31.1.254 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 172.17.2.26 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 8000 172.17.2.26 8000 netmask 255.255.255.
255
static (inside,outside) tcp 204.95.141.155 https 172.17.2.37 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.157 ssh 172.17.2.42 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 www 172.17.2.42 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 https 172.17.2.42 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.158 ssh 172.17.2.43 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 www 172.17.2.43 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 https 172.17.2.43 https netmask 255.2
55.255.255
static (inside,outside) tcp interface https 172.17.2.18 https netmask 255.255.25
5.255
static (inside,outside) tcp interface www 172.17.2.5 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 172.17.2.182 3389 netmask 255.255.255
.255
static (inside,outside) 204.95.141.156 10.1.1.248 netmask 255.255.255.255
static (inside,outside) 204.95.141.159 10.1.1.249 netmask 255.255.255.255
access-group out in interface outside
0
Comment
Question by:AggieJeff
  • 9
  • 6
  • 3
18 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646161
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646219
Im guessing you just need to add

access-list acl_outbound line 4 extended deny tcp any any eq smtp

to be sure issue the following

show access-group

command

as long as it says

access-group acl_outbound in interface inside


then that will do the trick :)
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646227
in fact LOL you already have that line 4!! - just make sure the acl is applied with an access-group command :)
0
 

Author Comment

by:AggieJeff
ID: 33646237
what does line 4 mean?  I just need to add that line and nothing else?
0
 

Author Comment

by:AggieJeff
ID: 33646269
start over.  What exactly do i need to add?  do i need to redo anything?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646294
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp

the above is what you already have.... now what you need to add is

---access-list acl_outbound extended permit ip any any
(make sure this is there otherwise all your ip traffic from inside to outside will be implicitly denied)

and

---access-group acl_outbound in interface inside
0
 

Author Comment

by:AggieJeff
ID: 33646428
i made those changes and here is my config now.  Please check it to see if anything besides my mail server can transmit outbound.  I have some spam bot i can't find and we are getting blacklisted.  



User Access Verification

Password:
Type help or '?' for a list of available commands.
HoustonASA> en
Password: *******
HoustonASA# config t
HoustonASA(config)# access-list acl_outbound extended permit ip any any
HoustonASA(config)# access-group acl_outbound in interface inside
HoustonASA(config)# wr mem
Building configuration...
Cryptochecksum: 2f36f2c7 dc9f244f 5b1ac168 a5ed04fa

9110 bytes copied in 3.700 secs (3036 bytes/sec)
[OK]
HoustonASA(config)# sh config
: Saved
: Written by enable_15 at 05:41:13.635 UTC Fri Sep 10 2010
!
ASA Version 7.0(8)
!
hostname HoustonASA
domain-name cottonrestorationinc.com
enable password TaR7pFaimyVPdvK7 encrypted
passwd TaR7pFaimyVPdvK7 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 204.95.141.154 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any interface outside eq https
access-list out extended permit tcp any interface outside eq 8000
access-list out extended permit tcp any host 204.95.141.155 eq https
access-list out extended permit tcp any host 204.95.141.156 eq www
access-list out extended permit tcp any host 204.95.141.156 eq https
access-list out extended permit tcp any host 204.95.141.157 eq ssh
access-list out extended permit tcp any host 204.95.141.157 eq www
access-list out extended permit tcp any host 204.95.141.157 eq https
access-list out extended permit tcp any host 204.95.141.158 eq ssh
access-list out extended permit tcp any host 204.95.141.158 eq www
access-list out extended permit tcp any host 204.95.141.158 eq https
access-list out extended permit tcp any interface outside eq 3389
access-list out extended permit tcp any interface outside eq smtp
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 172.31.1.0 255.255
.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list split-tunnel standard permit 172.17.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 10.1.1.0 255.255.255.0
access-list split-tunnel standard permit 10.1.2.0 255.255.255.0
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp
access-list acl_outbound extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cotton 172.31.1.1-172.31.1.254 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 172.17.2.26 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 8000 172.17.2.26 8000 netmask 255.255.255.
255
static (inside,outside) tcp 204.95.141.155 https 172.17.2.37 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.157 ssh 172.17.2.42 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 www 172.17.2.42 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 https 172.17.2.42 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.158 ssh 172.17.2.43 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 www 172.17.2.43 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 https 172.17.2.43 https netmask 255.2
55.255.255
static (inside,outside) tcp interface https 172.17.2.18 https netmask 255.255.25
5.255
static (inside,outside) tcp interface www 172.17.2.5 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 172.17.2.182 3389 netmask 255.255.255
.255
static (inside,outside) 204.95.141.156 10.1.1.248 netmask 255.255.255.255
static (inside,outside) 204.95.141.159 10.1.1.249 netmask 255.255.255.255
access-group out in interface outside
access-group acl_outbound in interface inside
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646518
perfect!!
0
 

Author Comment

by:AggieJeff
ID: 33646539
thanks.  no anything about finding a spambot on a LAN
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646634
on a firewall?? yea.. maybe you can apply captures for smtp traffic on the inside interface of the firewall and any traffic coming from any ip other than your exchange should be of concern.
0
 

Author Comment

by:AggieJeff
ID: 33646659
i'm a cisco dummy.  How do u do that and check the logs.
0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 33646784
well actually you can even see it in access-list logs... if you have syslogs enabled... well yea you have asdm syslog... ok what you can do is change the logging level to notification and give a log keyword at the end of the access-list.

try this in steps:

no access-group acl_outbound in interface inside
no access-list acl_outbound extended permit ip any any
no access-list acl_outbound extended deny tcp any any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp log
access-list acl_outbound extended permit ip any any
access-group acl_outbound in interface inside
logging asdm notifications

and check for logs on asdm for that access-list drops
it should point you to the rogue device.
0
 

Author Comment

by:AggieJeff
ID: 33646951
the asdm won't launch?  errrrrrr.  Anyway to check on command line?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647025
you can do it on ASA buffer... put in these

logging buffered notification
show logging

it will show all the asa logs... you should be able to find the acl drops in that..
0
 

Author Comment

by:AggieJeff
ID: 33647073
syslog is disabled.  dumb question but how to enable syslog and do i need to redo those rules?
0
 

Author Comment

by:AggieJeff
ID: 33647218
i used the logging on command.  I'm getting some logs now.  Will i see a deny of smtp listed?  Also, what if i don't?  I need to identify my issue.  I am scanning my email server plus its not showing as an open relay
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647332
#logging enable ----> for syslogs

and yea you need to redo those access-list in the same order i have put
just to ensure log for that deny statement
0
 

Author Comment

by:AggieJeff
ID: 33647846
i don't see anything in logs.  Anything i should be looking for?  i'm looking for anything that says smtp
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now