Restricting smtp traffic to specific IP address ranges PIX 506e

We used to have our spam filter on the inside network; now we have outsourced to an outside spam filtering company.  Our current setting is to allow all smtp (port 25) traffic through our firewall to our Exchange 2003 server.  

I want to restrict all smtp traffic through the PIX 506 except from the following WAN IP address ranges:

194.116.198.0/23 (194.116.198.0 to 194.116.199.255) subnet 255.255.254.0
208.87.136.0/23 (208.87.136.0 to 208.87.137.255) subnet 255.255.254.0
203.100.58.0/24 (203.100.58.0 to 203.100.58.255) subnet 255.255.255.0

current Pix access list entry is:

access-list acl-out permit tcp any interface outside eq smtp

I'm just a bit rusty on adding the ranges.
LVL 4
techcontractingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
m_walkerCommented:
I cant remember which why it is on the pix.
My 3750 does it this way
access-list 110 permit tcp 172.30.0.0 0.0.255.255 any eq 22 log

so I would try

access-list acl-out permit tcp <network> <pattern> interface outside eq smtp
eg: for 194.116.198.0/23
/23 = 23 bits = pattern (not mask) 0.0.1.255
access-list acl-out permit tcp 194.116.198.0 0.0.1.255 interface outside eq smtp

203.100.58.0/24
access-list acl-out permit tcp 203.100.58.0 0.0.0.255 interface outside eq smtp

just check with the ? when you get to the "mask/pattern" and see if it wants a match pattern or subnet mask.
0
 
DraxonicCommented:
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/ab.html#wp1067755

access-list acl-out permit tcp 194.116.198.0 255.255.254.0 interface outside eq smtp
access-list acl-out permit tcp 208.87.136.0 255.255.254.0 interface outside eq smtp
access-list acl-out permit tcp 203.100.58.0 255.255.255.0 interface outside eq smtp

0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
lrmooreCommented:
PIX always uses subnet masks for access-lists, where routers and IOS based switches always use wildcard masks.
Don't forget to remove the acl entry permitting any interface outside eq smtp
 no acl-out permit any interface outside eq smtp
0
 
techcontractingAuthor Commented:
Hey guys thanks for all your help... I had the config in there except I had "tcp host" instead of just "tcp";  thanks for the clarification... works like a dream.

Thanks again,
Shawn
0
 
techcontractingAuthor Commented:
Worked great... thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.