Adding Access Rules so only specific IP ranges can hit port 25

We have a Cisco ASA Firewall and Exchange 2013. We're utilizing Barracuda's cloud-based SPAM filtering solution but SPAM is still coming in outside of the SPAM filter. Barracuda recommended limiting their IP ranges being the only IPs that can hit port 25 (64.235.144.0/20 and 209.222.80.0/21).

I know enough to configure but really would love some help on adding the Access Rules on the ASA.

Thanks!
pstiffsaeAsked:
Who is Participating?
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

Maybe it is easier to configure in exchange so your recieve connector only accepts forwarded mail from Barracuda range?
Very easy to configure.

Cheers
1
 
kevinhsiehCommented:
I would create a new network group and add the two networks to that group. Go to the existing security rule that allows inbound port 25/SMTP, and change in source IP from any to the new group that you created.

If you need further assistance, you can contact Cisco TAC or submit a Live request here in E-E.
0
 
pstiffsaeAuthor Commented:
@Patrick Bogers - I'm fairly familiar with updating the receive connectors but am a but rusty. By default, we have Client Front End EMAIL (server name is EMAIL) - Frontend Transport, Client Proxy EMAIL - Hubtransport, Default EMAIL - Hubtransport, Default Frontend EMAIL - Frontend Transport, Outbound Proxy Frontened Email - Hubtransport. All are currently setup to allow ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
0.0.0.0-255.255.255.255​ to receive e-mail from these remote IPs.

@kevinhsieh - I'll check the firewall and see if I can't schedule a Live request as well
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi pstiffsae,

Check the one that is serving on port 25, it is only one (prob Default Frontend)

Cheers
0
 
pstiffsaeAuthor Commented:
Thank you for helping me get this resolved!
0
 
kevinhsiehCommented:
FYI, document this well! As someone coming in, I would expect this to be restricted at the perimeter firewall.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.