We help IT Professionals succeed at work.

Cisco ASA Rules for SMTP outbound

AggieJeff
AggieJeff asked
on
1,107 Views
Last Modified: 2013-11-30
I need to make sure that my firewall is correct to stop all outbound smtp traffic except for my Exchange server.  The IPs of the exchange server 172.17.2.35 - 37.  My configuration is below.

User Access Verification

Password:
Type help or '?' for a list of available commands.
HoustonASA> en
Password: *******
HoustonASA# conf t
HoustonASA(config)# access-list acl_outbound extended deny tcp any any eq smtp
HoustonASA(config)# wr mem
Building configuration...
Cryptochecksum: de6c5a0a 39d12220 5a8c827e db24d508

9011 bytes copied in 3.590 secs (3003 bytes/sec)
[OK]
HoustonASA(config)# sh config
: Saved
: Written by enable_15 at 05:00:56.598 UTC Fri Sep 10 2010
!
ASA Version 7.0(8)
!
hostname HoustonASA
domain-name cottonrestorationinc.com
enable password TaR7pFaimyVPdvK7 encrypted
passwd TaR7pFaimyVPdvK7 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 204.95.141.154 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any interface outside eq https
access-list out extended permit tcp any interface outside eq 8000
access-list out extended permit tcp any host 204.95.141.155 eq https
access-list out extended permit tcp any host 204.95.141.156 eq www
access-list out extended permit tcp any host 204.95.141.156 eq https
access-list out extended permit tcp any host 204.95.141.157 eq ssh
access-list out extended permit tcp any host 204.95.141.157 eq www
access-list out extended permit tcp any host 204.95.141.157 eq https
access-list out extended permit tcp any host 204.95.141.158 eq ssh
access-list out extended permit tcp any host 204.95.141.158 eq www
access-list out extended permit tcp any host 204.95.141.158 eq https
access-list out extended permit tcp any interface outside eq 3389
access-list out extended permit tcp any interface outside eq smtp
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 172.31.1.0 255.255
.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list split-tunnel standard permit 172.17.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 10.1.1.0 255.255.255.0
access-list split-tunnel standard permit 10.1.2.0 255.255.255.0
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cotton 172.31.1.1-172.31.1.254 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 172.17.2.26 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 8000 172.17.2.26 8000 netmask 255.255.255.
255
static (inside,outside) tcp 204.95.141.155 https 172.17.2.37 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.157 ssh 172.17.2.42 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 www 172.17.2.42 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 https 172.17.2.42 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.158 ssh 172.17.2.43 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 www 172.17.2.43 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 https 172.17.2.43 https netmask 255.2
55.255.255
static (inside,outside) tcp interface https 172.17.2.18 https netmask 255.255.25
5.255
static (inside,outside) tcp interface www 172.17.2.5 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 172.17.2.182 3389 netmask 255.255.255
.255
static (inside,outside) 204.95.141.156 10.1.1.248 netmask 255.255.255.255
static (inside,outside) 204.95.141.159 10.1.1.249 netmask 255.255.255.255
access-group out in interface outside
Comment
Watch Question

Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Im guessing you just need to add

access-list acl_outbound line 4 extended deny tcp any any eq smtp

to be sure issue the following

show access-group

command

as long as it says

access-group acl_outbound in interface inside


then that will do the trick :)
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
in fact LOL you already have that line 4!! - just make sure the acl is applied with an access-group command :)

Author

Commented:
what does line 4 mean?  I just need to add that line and nothing else?

Author

Commented:
start over.  What exactly do i need to add?  do i need to redo anything?
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp

the above is what you already have.... now what you need to add is

---access-list acl_outbound extended permit ip any any
(make sure this is there otherwise all your ip traffic from inside to outside will be implicitly denied)

and

---access-group acl_outbound in interface inside

Author

Commented:
i made those changes and here is my config now.  Please check it to see if anything besides my mail server can transmit outbound.  I have some spam bot i can't find and we are getting blacklisted.  



User Access Verification

Password:
Type help or '?' for a list of available commands.
HoustonASA> en
Password: *******
HoustonASA# config t
HoustonASA(config)# access-list acl_outbound extended permit ip any any
HoustonASA(config)# access-group acl_outbound in interface inside
HoustonASA(config)# wr mem
Building configuration...
Cryptochecksum: 2f36f2c7 dc9f244f 5b1ac168 a5ed04fa

9110 bytes copied in 3.700 secs (3036 bytes/sec)
[OK]
HoustonASA(config)# sh config
: Saved
: Written by enable_15 at 05:41:13.635 UTC Fri Sep 10 2010
!
ASA Version 7.0(8)
!
hostname HoustonASA
domain-name cottonrestorationinc.com
enable password TaR7pFaimyVPdvK7 encrypted
passwd TaR7pFaimyVPdvK7 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 204.95.141.154 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any interface outside eq https
access-list out extended permit tcp any interface outside eq 8000
access-list out extended permit tcp any host 204.95.141.155 eq https
access-list out extended permit tcp any host 204.95.141.156 eq www
access-list out extended permit tcp any host 204.95.141.156 eq https
access-list out extended permit tcp any host 204.95.141.157 eq ssh
access-list out extended permit tcp any host 204.95.141.157 eq www
access-list out extended permit tcp any host 204.95.141.157 eq https
access-list out extended permit tcp any host 204.95.141.158 eq ssh
access-list out extended permit tcp any host 204.95.141.158 eq www
access-list out extended permit tcp any host 204.95.141.158 eq https
access-list out extended permit tcp any interface outside eq 3389
access-list out extended permit tcp any interface outside eq smtp
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 172.31.1.0 255.255
.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list split-tunnel standard permit 172.17.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 10.1.1.0 255.255.255.0
access-list split-tunnel standard permit 10.1.2.0 255.255.255.0
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp
access-list acl_outbound extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cotton 172.31.1.1-172.31.1.254 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 172.17.2.26 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 8000 172.17.2.26 8000 netmask 255.255.255.
255
static (inside,outside) tcp 204.95.141.155 https 172.17.2.37 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.157 ssh 172.17.2.42 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 www 172.17.2.42 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 https 172.17.2.42 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.158 ssh 172.17.2.43 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 www 172.17.2.43 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 https 172.17.2.43 https netmask 255.2
55.255.255
static (inside,outside) tcp interface https 172.17.2.18 https netmask 255.255.25
5.255
static (inside,outside) tcp interface www 172.17.2.5 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 172.17.2.182 3389 netmask 255.255.255
.255
static (inside,outside) 204.95.141.156 10.1.1.248 netmask 255.255.255.255
static (inside,outside) 204.95.141.159 10.1.1.249 netmask 255.255.255.255
access-group out in interface outside
access-group acl_outbound in interface inside
perfect!!

Author

Commented:
thanks.  no anything about finding a spambot on a LAN
on a firewall?? yea.. maybe you can apply captures for smtp traffic on the inside interface of the firewall and any traffic coming from any ip other than your exchange should be of concern.

Author

Commented:
i'm a cisco dummy.  How do u do that and check the logs.
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
the asdm won't launch?  errrrrrr.  Anyway to check on command line?
you can do it on ASA buffer... put in these

logging buffered notification
show logging

it will show all the asa logs... you should be able to find the acl drops in that..

Author

Commented:
syslog is disabled.  dumb question but how to enable syslog and do i need to redo those rules?

Author

Commented:
i used the logging on command.  I'm getting some logs now.  Will i see a deny of smtp listed?  Also, what if i don't?  I need to identify my issue.  I am scanning my email server plus its not showing as an open relay
#logging enable ----> for syslogs

and yea you need to redo those access-list in the same order i have put
just to ensure log for that deny statement

Author

Commented:
i don't see anything in logs.  Anything i should be looking for?  i'm looking for anything that says smtp
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.