?
Solved

Cisco ASA Rules for SMTP outbound

Posted on 2010-09-10
18
Medium Priority
?
1,051 Views
Last Modified: 2013-11-30
I need to make sure that my firewall is correct to stop all outbound smtp traffic except for my Exchange server.  The IPs of the exchange server 172.17.2.35 - 37.  My configuration is below.

User Access Verification

Password:
Type help or '?' for a list of available commands.
HoustonASA> en
Password: *******
HoustonASA# conf t
HoustonASA(config)# access-list acl_outbound extended deny tcp any any eq smtp
HoustonASA(config)# wr mem
Building configuration...
Cryptochecksum: de6c5a0a 39d12220 5a8c827e db24d508

9011 bytes copied in 3.590 secs (3003 bytes/sec)
[OK]
HoustonASA(config)# sh config
: Saved
: Written by enable_15 at 05:00:56.598 UTC Fri Sep 10 2010
!
ASA Version 7.0(8)
!
hostname HoustonASA
domain-name cottonrestorationinc.com
enable password TaR7pFaimyVPdvK7 encrypted
passwd TaR7pFaimyVPdvK7 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 204.95.141.154 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any interface outside eq https
access-list out extended permit tcp any interface outside eq 8000
access-list out extended permit tcp any host 204.95.141.155 eq https
access-list out extended permit tcp any host 204.95.141.156 eq www
access-list out extended permit tcp any host 204.95.141.156 eq https
access-list out extended permit tcp any host 204.95.141.157 eq ssh
access-list out extended permit tcp any host 204.95.141.157 eq www
access-list out extended permit tcp any host 204.95.141.157 eq https
access-list out extended permit tcp any host 204.95.141.158 eq ssh
access-list out extended permit tcp any host 204.95.141.158 eq www
access-list out extended permit tcp any host 204.95.141.158 eq https
access-list out extended permit tcp any interface outside eq 3389
access-list out extended permit tcp any interface outside eq smtp
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 172.31.1.0 255.255
.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list split-tunnel standard permit 172.17.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 10.1.1.0 255.255.255.0
access-list split-tunnel standard permit 10.1.2.0 255.255.255.0
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cotton 172.31.1.1-172.31.1.254 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 172.17.2.26 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 8000 172.17.2.26 8000 netmask 255.255.255.
255
static (inside,outside) tcp 204.95.141.155 https 172.17.2.37 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.157 ssh 172.17.2.42 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 www 172.17.2.42 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 https 172.17.2.42 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.158 ssh 172.17.2.43 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 www 172.17.2.43 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 https 172.17.2.43 https netmask 255.2
55.255.255
static (inside,outside) tcp interface https 172.17.2.18 https netmask 255.255.25
5.255
static (inside,outside) tcp interface www 172.17.2.5 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 172.17.2.182 3389 netmask 255.255.255
.255
static (inside,outside) 204.95.141.156 10.1.1.248 netmask 255.255.255.255
static (inside,outside) 204.95.141.159 10.1.1.249 netmask 255.255.255.255
access-group out in interface outside
0
Comment
Question by:AggieJeff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 3
18 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646161
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646219
Im guessing you just need to add

access-list acl_outbound line 4 extended deny tcp any any eq smtp

to be sure issue the following

show access-group

command

as long as it says

access-group acl_outbound in interface inside


then that will do the trick :)
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 33646227
in fact LOL you already have that line 4!! - just make sure the acl is applied with an access-group command :)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:AggieJeff
ID: 33646237
what does line 4 mean?  I just need to add that line and nothing else?
0
 

Author Comment

by:AggieJeff
ID: 33646269
start over.  What exactly do i need to add?  do i need to redo anything?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646294
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp

the above is what you already have.... now what you need to add is

---access-list acl_outbound extended permit ip any any
(make sure this is there otherwise all your ip traffic from inside to outside will be implicitly denied)

and

---access-group acl_outbound in interface inside
0
 

Author Comment

by:AggieJeff
ID: 33646428
i made those changes and here is my config now.  Please check it to see if anything besides my mail server can transmit outbound.  I have some spam bot i can't find and we are getting blacklisted.  



User Access Verification

Password:
Type help or '?' for a list of available commands.
HoustonASA> en
Password: *******
HoustonASA# config t
HoustonASA(config)# access-list acl_outbound extended permit ip any any
HoustonASA(config)# access-group acl_outbound in interface inside
HoustonASA(config)# wr mem
Building configuration...
Cryptochecksum: 2f36f2c7 dc9f244f 5b1ac168 a5ed04fa

9110 bytes copied in 3.700 secs (3036 bytes/sec)
[OK]
HoustonASA(config)# sh config
: Saved
: Written by enable_15 at 05:41:13.635 UTC Fri Sep 10 2010
!
ASA Version 7.0(8)
!
hostname HoustonASA
domain-name cottonrestorationinc.com
enable password TaR7pFaimyVPdvK7 encrypted
passwd TaR7pFaimyVPdvK7 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 204.95.141.154 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.2.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list out extended permit tcp any interface outside eq www
access-list out extended permit tcp any interface outside eq https
access-list out extended permit tcp any interface outside eq 8000
access-list out extended permit tcp any host 204.95.141.155 eq https
access-list out extended permit tcp any host 204.95.141.156 eq www
access-list out extended permit tcp any host 204.95.141.156 eq https
access-list out extended permit tcp any host 204.95.141.157 eq ssh
access-list out extended permit tcp any host 204.95.141.157 eq www
access-list out extended permit tcp any host 204.95.141.157 eq https
access-list out extended permit tcp any host 204.95.141.158 eq ssh
access-list out extended permit tcp any host 204.95.141.158 eq www
access-list out extended permit tcp any host 204.95.141.158 eq https
access-list out extended permit tcp any interface outside eq 3389
access-list out extended permit tcp any interface outside eq smtp
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 172.31.1.0 255.255
.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.3.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 172.31.1.0 255.25
5.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list nonat extended permit ip 10.1.2.0 255.255.255.0 172.31.1.0 255.255.2
55.0
access-list split-tunnel standard permit 172.17.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.3.0 255.255.255.0
access-list split-tunnel standard permit 10.1.1.0 255.255.255.0
access-list split-tunnel standard permit 10.1.2.0 255.255.255.0
access-list acl_outbound extended permit tcp host 172.17.2.35 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.36 any eq smtp
access-list acl_outbound extended permit tcp host 172.17.2.37 any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp
access-list acl_outbound extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cotton 172.31.1.1-172.31.1.254 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 172.17.2.26 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface 8000 172.17.2.26 8000 netmask 255.255.255.
255
static (inside,outside) tcp 204.95.141.155 https 172.17.2.37 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.157 ssh 172.17.2.42 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 www 172.17.2.42 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.157 https 172.17.2.42 https netmask 255.2
55.255.255
static (inside,outside) tcp 204.95.141.158 ssh 172.17.2.43 ssh netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 www 172.17.2.43 www netmask 255.255.2
55.255
static (inside,outside) tcp 204.95.141.158 https 172.17.2.43 https netmask 255.2
55.255.255
static (inside,outside) tcp interface https 172.17.2.18 https netmask 255.255.25
5.255
static (inside,outside) tcp interface www 172.17.2.5 www netmask 255.255.255.255

static (inside,outside) tcp interface 3389 172.17.2.182 3389 netmask 255.255.255
.255
static (inside,outside) 204.95.141.156 10.1.1.248 netmask 255.255.255.255
static (inside,outside) 204.95.141.159 10.1.1.249 netmask 255.255.255.255
access-group out in interface outside
access-group acl_outbound in interface inside
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646518
perfect!!
0
 

Author Comment

by:AggieJeff
ID: 33646539
thanks.  no anything about finding a spambot on a LAN
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33646634
on a firewall?? yea.. maybe you can apply captures for smtp traffic on the inside interface of the firewall and any traffic coming from any ip other than your exchange should be of concern.
0
 

Author Comment

by:AggieJeff
ID: 33646659
i'm a cisco dummy.  How do u do that and check the logs.
0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 2000 total points
ID: 33646784
well actually you can even see it in access-list logs... if you have syslogs enabled... well yea you have asdm syslog... ok what you can do is change the logging level to notification and give a log keyword at the end of the access-list.

try this in steps:

no access-group acl_outbound in interface inside
no access-list acl_outbound extended permit ip any any
no access-list acl_outbound extended deny tcp any any eq smtp
access-list acl_outbound extended deny tcp any any eq smtp log
access-list acl_outbound extended permit ip any any
access-group acl_outbound in interface inside
logging asdm notifications

and check for logs on asdm for that access-list drops
it should point you to the rogue device.
0
 

Author Comment

by:AggieJeff
ID: 33646951
the asdm won't launch?  errrrrrr.  Anyway to check on command line?
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647025
you can do it on ASA buffer... put in these

logging buffered notification
show logging

it will show all the asa logs... you should be able to find the acl drops in that..
0
 

Author Comment

by:AggieJeff
ID: 33647073
syslog is disabled.  dumb question but how to enable syslog and do i need to redo those rules?
0
 

Author Comment

by:AggieJeff
ID: 33647218
i used the logging on command.  I'm getting some logs now.  Will i see a deny of smtp listed?  Also, what if i don't?  I need to identify my issue.  I am scanning my email server plus its not showing as an open relay
0
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33647332
#logging enable ----> for syslogs

and yea you need to redo those access-list in the same order i have put
just to ensure log for that deny statement
0
 

Author Comment

by:AggieJeff
ID: 33647846
i don't see anything in logs.  Anything i should be looking for?  i'm looking for anything that says smtp
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question