Solved

Block SMTP on ASA 5500

Posted on 2011-02-15
6
1,499 Views
Last Modified: 2012-05-11
Hello we would like it so that only the exchange server is allowed to send email out from the network. We have had some issues where users have taken their virus infected home computer to the office. How can we setup the ASA so that it only allows the exchange server to send email on port 25?

This is my acl:

access-list outside_access_in extended permit tcp any host 213.145.177.74 eq smtp
access-list outside_access_in extended permit tcp any host 213.145.177.74 eq https
access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp

0
Comment
Question by:daxa78
  • 4
  • 2
6 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 34896355
You have to create an accesslist on the inside interface, something like:

access-list inside_access_out extended permit tcp host x.x.x.x any eq smtp (x.x.x.x = exchange server)
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any


That should do the trick.
0
 
LVL 1

Author Comment

by:daxa78
ID: 34896498
So i should just delete those other acl?

Thx
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34896525
Well, no. Those are the incoming rules. I think you still want your exchange server to be reachable don't you? You might to have a look to see if anything can be removed (i see three times incoming smtp).
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 1

Author Comment

by:daxa78
ID: 34896685
Did not work this is what my acl looks like now.

All host on the network can still connect to smtp servers on the outside.

access-list inside_access_out extended permit tcp host 10.10.1.1 any eq smtp
access-list inside_access_out extended permit tcp host 10.10.1.202 any eq smtp
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 500 total points
ID: 34896774
Eh, did you also issue: acces-group inside_access_out in interface inside ?

Assuming the name of your inside interface is 'inside'.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34897608
Thanks for the points.

Regarding your outside accesslist, you might want to remove:


access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp


There's no need for those and there's allways an implicit 'deny all' at the end of an access list.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question