Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1524
  • Last Modified:

Block SMTP on ASA 5500

Hello we would like it so that only the exchange server is allowed to send email out from the network. We have had some issues where users have taken their virus infected home computer to the office. How can we setup the ASA so that it only allows the exchange server to send email on port 25?

This is my acl:

access-list outside_access_in extended permit tcp any host 213.145.177.74 eq smtp
access-list outside_access_in extended permit tcp any host 213.145.177.74 eq https
access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp

0
daxa78
Asked:
daxa78
  • 4
  • 2
2 Solutions
 
Ernie BeekExpertCommented:
You have to create an accesslist on the inside interface, something like:

access-list inside_access_out extended permit tcp host x.x.x.x any eq smtp (x.x.x.x = exchange server)
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any


That should do the trick.
0
 
daxa78Author Commented:
So i should just delete those other acl?

Thx
0
 
Ernie BeekExpertCommented:
Well, no. Those are the incoming rules. I think you still want your exchange server to be reachable don't you? You might to have a look to see if anything can be removed (i see three times incoming smtp).
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
daxa78Author Commented:
Did not work this is what my acl looks like now.

All host on the network can still connect to smtp servers on the outside.

access-list inside_access_out extended permit tcp host 10.10.1.1 any eq smtp
access-list inside_access_out extended permit tcp host 10.10.1.202 any eq smtp
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any
0
 
Ernie BeekExpertCommented:
Eh, did you also issue: acces-group inside_access_out in interface inside ?

Assuming the name of your inside interface is 'inside'.
0
 
Ernie BeekExpertCommented:
Thanks for the points.

Regarding your outside accesslist, you might want to remove:


access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp


There's no need for those and there's allways an implicit 'deny all' at the end of an access list.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now