Block SMTP on ASA 5500

Hello we would like it so that only the exchange server is allowed to send email out from the network. We have had some issues where users have taken their virus infected home computer to the office. How can we setup the ASA so that it only allows the exchange server to send email on port 25?

This is my acl:

access-list outside_access_in extended permit tcp any host 213.145.177.74 eq smtp
access-list outside_access_in extended permit tcp any host 213.145.177.74 eq https
access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp

LVL 1
daxa78Asked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
You have to create an accesslist on the inside interface, something like:

access-list inside_access_out extended permit tcp host x.x.x.x any eq smtp (x.x.x.x = exchange server)
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any


That should do the trick.
0
 
daxa78Author Commented:
So i should just delete those other acl?

Thx
0
 
Ernie BeekExpertCommented:
Well, no. Those are the incoming rules. I think you still want your exchange server to be reachable don't you? You might to have a look to see if anything can be removed (i see three times incoming smtp).
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
daxa78Author Commented:
Did not work this is what my acl looks like now.

All host on the network can still connect to smtp servers on the outside.

access-list inside_access_out extended permit tcp host 10.10.1.1 any eq smtp
access-list inside_access_out extended permit tcp host 10.10.1.202 any eq smtp
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit ip any any
0
 
Ernie BeekConnect With a Mentor ExpertCommented:
Eh, did you also issue: acces-group inside_access_out in interface inside ?

Assuming the name of your inside interface is 'inside'.
0
 
Ernie BeekExpertCommented:
Thanks for the points.

Regarding your outside accesslist, you might want to remove:


access-list outside_access_in extended permit tcp host 10.10.1.1 any eq smtp
access-list outside_access_in extended permit tcp host 10.10.1.202 any eq smtp
access-list outside_access_in extended deny tcp any any eq smtp


There's no need for those and there's allways an implicit 'deny all' at the end of an access list.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.