Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Restricting smtp traffic to specific IP address ranges PIX 506e

Posted on 2011-03-22
Medium Priority
Last Modified: 2012-05-11
We used to have our spam filter on the inside network; now we have outsourced to an outside spam filtering company.  Our current setting is to allow all smtp (port 25) traffic through our firewall to our Exchange 2003 server.  

I want to restrict all smtp traffic through the PIX 506 except from the following WAN IP address ranges: ( to subnet ( to subnet ( to subnet

current Pix access list entry is:

access-list acl-out permit tcp any interface outside eq smtp

I'm just a bit rusty on adding the ranges.
Question by:techcontracting
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 35195809
I cant remember which why it is on the pix.
My 3750 does it this way
access-list 110 permit tcp any eq 22 log

so I would try

access-list acl-out permit tcp <network> <pattern> interface outside eq smtp
eg: for
/23 = 23 bits = pattern (not mask)
access-list acl-out permit tcp interface outside eq smtp
access-list acl-out permit tcp interface outside eq smtp

just check with the ? when you get to the "mask/pattern" and see if it wants a match pattern or subnet mask.

Accepted Solution

Draxonic earned 2000 total points
ID: 35196104

access-list acl-out permit tcp interface outside eq smtp
access-list acl-out permit tcp interface outside eq smtp
access-list acl-out permit tcp interface outside eq smtp

LVL 79

Expert Comment

ID: 35197703
PIX always uses subnet masks for access-lists, where routers and IOS based switches always use wildcard masks.
Don't forget to remove the acl entry permitting any interface outside eq smtp
 no acl-out permit any interface outside eq smtp

Author Comment

ID: 35204089
Hey guys thanks for all your help... I had the config in there except I had "tcp host" instead of just "tcp";  thanks for the clarification... works like a dream.

Thanks again,

Author Closing Comment

ID: 35204095
Worked great... thanks!

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question