troubleshooting Question

Cisco ASA Rules for SMTP outbound

Avatar of AggieJeff
AggieJeff asked on
Email ProtocolsCisco
18 Comments1 Solution1119 ViewsLast Modified:
I need to make sure that my firewall is correct to stop all outbound smtp traffic except for my Exchange server.  The IPs of the exchange server 172.17.2.35 - 37.  My configuration is below.

User Access Verification

Password:
Type help or '?' for a list of available commands.
HoustonASA> en
Password: *******
HoustonASA# conf t
HoustonASA(config)# access-list acl_outbound extended deny tcp any any eq smtp
HoustonASA(config)# wr mem
Building configuration...
Cryptochecksum: de6c5a0a 39d12220 5a8c827e db24d508

9011 bytes copied in 3.590 secs (3003 bytes/sec)
[OK]
HoustonASA(config)# sh config
: Saved
: Written by enable_15 at 05:00:56.598 UTC Fri Sep 10 2010
!
ASA Version 7.0(8)
!
hostname HoustonASA
domain-name cottonrestorationinc.com
enable password TaR7pFaimyVPdvK7 encrypted
passwd TaR7pFaimyVPdvK7 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 204.95.141.154 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any interface outside eq https
access-list out extended permit tcp any interface outside eq 8000
access-list out extended permit tcp any host 204.95.141.155 eq https
access-list out extended permit tcp any host 204.95.141.156 eq www
access-list out extended permit tcp any host 204.95.141.156 eq https
access-list out extended permit tcp any host 204.95.141.157 eq ssh
access-list out extended permit tcp any host 204.95.141.157 eq www
access-list out extended permit tcp any host 204.95.141.157 eq https
access-list out extended permit tcp any host 204.95.141.158 eq ssh
access-list out extended permit tcp any host 204.95.141.158 eq www
access-list out extended permit tcp any host 204.95.141.158 eq https
access-list out extended permit tcp any interface outside eq 3389
access-list out extended permit tcp any interface outside eq smtp
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 172.31.1.0 255.255
.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list split-tunnel standard permit 172.17.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 10.1.1.0 255.255.255.0
access-list split-tunnel standard permit 10.1.2.0 255.255.255.0
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cotton 172.31.1.1-172.31.1.254 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 172.17.2.26 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 8000 172.17.2.26 8000 netmask 255.255.255.
255
static (inside,outside) tcp 204.95.141.155 https 172.17.2.37 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.157 ssh 172.17.2.42 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 www 172.17.2.42 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 https 172.17.2.42 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.158 ssh 172.17.2.43 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 www 172.17.2.43 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 https 172.17.2.43 https netmask 255.2
55.255.255
static (inside,outside) tcp interface https 172.17.2.18 https netmask 255.255.25
5.255
static (inside,outside) tcp interface www 172.17.2.5 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 172.17.2.182 3389 netmask 255.255.255
.255
static (inside,outside) 204.95.141.156 10.1.1.248 netmask 255.255.255.255
static (inside,outside) 204.95.141.159 10.1.1.249 netmask 255.255.255.255
access-group out in interface outside
ASKER CERTIFIED SOLUTION
ullas_unni

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 18 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 18 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros