daxa78
asked on
Block SMTP on ASA 5500
Hello we would like it so that only the exchange server is allowed to send email out from the network. We have had some issues where users have taken their virus infected home computer to the office. How can we setup the ASA so that it only allows the exchange server to send email on port 25?
This is my acl:
access-list outside_access_in extended permit tcp any host 213.145.177.74 eq smtp
access-list outside_access_in extended permit tcp any host 213.145.177.74 eq https
access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp
This is my acl:
access-list outside_access_in extended permit tcp any host 213.145.177.74 eq smtp
access-list outside_access_in extended permit tcp any host 213.145.177.74 eq https
access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well, no. Those are the incoming rules. I think you still want your exchange server to be reachable don't you? You might to have a look to see if anything can be removed (i see three times incoming smtp).
ASKER
Did not work this is what my acl looks like now.
All host on the network can still connect to smtp servers on the outside.
access-list inside_access_out extended permit tcp host 10.10.1.1 any eq smtp
access-list inside_access_out extended permit tcp host 10.10.1.202 any eq smtp
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any
All host on the network can still connect to smtp servers on the outside.
access-list inside_access_out extended permit tcp host 10.10.1.1 any eq smtp
access-list inside_access_out extended permit tcp host 10.10.1.202 any eq smtp
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for the points.
Regarding your outside accesslist, you might want to remove:
access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp
There's no need for those and there's allways an implicit 'deny all' at the end of an access list.
Regarding your outside accesslist, you might want to remove:
access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp
There's no need for those and there's allways an implicit 'deny all' at the end of an access list.
ASKER
Thx