Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > How to Block all outbound SMTP except Exchange Server

Reply
Thread Tools

How to Block all outbound SMTP except Exchange Server

 
 
Ross
Guest
Posts: n/a
 
      07-20-2007
Hi there,
I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
inside the firewall, which are all working well.
Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
except from my company's Exchange server.
Any idea about how to do this is appreciated.
Ross


 
Reply With Quote
 
 
 
 
gcave@routergod.com
Guest
Posts: n/a
 
      07-21-2007
On Jul 20, 5:37 pm, "Ross" <(E-Mail Removed)> wrote:
> Hi there,
> I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
> inside the firewall, which are all working well.
> Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
> except from my company's Exchange server.
> Any idea about how to do this is appreciated.
> Ross


access-list SMTP-CONTROL permit tcp host 10.1.1.1 any eq smtp ! Where
10.1.1.1 is the IP address of Exchange
access-list SMTP-CONTROL deny tcp any any eq smtp
access-list SMTP-CONTROL permit ip any any ! implicit deny any any
!
access-group SMTP-CONTROL in interface inside
!

Since the access-list gets executed in order, line one runs first and
wont make it to line two unless it is a TCP connection on port 25 with
a different IP address. Remember if anyone trys to send any mail
except the exchange server it will be blocked.

 
Reply With Quote
 
 
 
 
GNY
Guest
Posts: n/a
 
      07-21-2007
On Jul 20, 10:31 pm, (E-Mail Removed) wrote:
> On Jul 20, 5:37 pm, "Ross" <(E-Mail Removed)> wrote:
>
> > Hi there,
> > I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
> > inside the firewall, which are all working well.
> > Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
> > except from my company's Exchange server.
> > Any idea about how to do this is appreciated.
> > Ross

>
> access-list SMTP-CONTROL permit tcp host 10.1.1.1 any eq smtp ! Where
> 10.1.1.1 is the IP address of Exchange
> access-list SMTP-CONTROL deny tcp any any eq smtp
> access-list SMTP-CONTROL permit ip any any ! implicit deny any any
> !
> access-group SMTP-CONTROL in interface inside
> !
>
> Since the access-list gets executed in order, line one runs first and
> wont make it to line two unless it is a TCP connection on port 25 with
> a different IP address. Remember if anyone trys to send any mail
> except the exchange server it will be blocked.


Sorry to thread jack .. But on an ASA if I was trying to do something
similar would I have to assign this access-list to an interface? Or is
this only for IOS routers where you have to assign the ACL to an
interface?

Thanks and sorry again ..

GNY

 
Reply With Quote
 
Chris
Guest
Posts: n/a
 
      07-21-2007
On Sat, 21 Jul 2007 15:43:39 -0000, GNY wrote:

> On Jul 20, 10:31 pm, (E-Mail Removed) wrote:
>> On Jul 20, 5:37 pm, "Ross" <(E-Mail Removed)> wrote:
>>
>>> Hi there,
>>> I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
>>> inside the firewall, which are all working well.
>>> Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
>>> except from my company's Exchange server.
>>> Any idea about how to do this is appreciated.
>>> Ross

>>
>> access-list SMTP-CONTROL permit tcp host 10.1.1.1 any eq smtp ! Where
>> 10.1.1.1 is the IP address of Exchange
>> access-list SMTP-CONTROL deny tcp any any eq smtp
>> access-list SMTP-CONTROL permit ip any any ! implicit deny any any
>> !
>> access-group SMTP-CONTROL in interface inside
>> !
>>
>> Since the access-list gets executed in order, line one runs first and
>> wont make it to line two unless it is a TCP connection on port 25 with
>> a different IP address. Remember if anyone trys to send any mail
>> except the exchange server it will be blocked.

>
> Sorry to thread jack .. But on an ASA if I was trying to do something
> similar would I have to assign this access-list to an interface? Or is
> this only for IOS routers where you have to assign the ACL to an
> interface?
>
> Thanks and sorry again ..
>
> GNY



The example above is for a Pix version 7.x, which is essentially the same
as an ASA. So yes, you have to apply the access-list to an interface.

Chris.
 
Reply With Quote
 
Ross
Guest
Posts: n/a
 
      07-23-2007
Thanks to everyone!
It works well with blocking SMTP.
But it stoped the blocking of bitTorrent. I had a setup for blocking
bitTorrent, but once I enabled the SMTP blocking, the bitTorrent traffic
becomes available now.
Why?

BTW, here was my setup for blocking BT:
access-list block_BT deny tcp any any range 6881 6999
access-list block_BT permit ip any any
access-group block_BT in interface inside

Any idea would be appreciated again,
Ross

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> On Jul 20, 5:37 pm, "Ross" <(E-Mail Removed)> wrote:
>> Hi there,
>> I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
>> inside the firewall, which are all working well.
>> Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
>> except from my company's Exchange server.
>> Any idea about how to do this is appreciated.
>> Ross

>
> access-list SMTP-CONTROL permit tcp host 10.1.1.1 any eq smtp ! Where
> 10.1.1.1 is the IP address of Exchange
> access-list SMTP-CONTROL deny tcp any any eq smtp
> access-list SMTP-CONTROL permit ip any any ! implicit deny any any
> !
> access-group SMTP-CONTROL in interface inside
> !
>
> Since the access-list gets executed in order, line one runs first and
> wont make it to line two unless it is a TCP connection on port 25 with
> a different IP address. Remember if anyone trys to send any mail
> except the exchange server it will be blocked.
>



 
Reply With Quote
 
James
Guest
Posts: n/a
 
      07-24-2007

You can only have one access-list bound to an interface (on an IOS
rotuer you can have two, one in each direction) so you need to combine
your entries to look something like this:-

access-list Outbound permit tcp host 10.1.1.1 any eq smtp ! Where
10.1.1.1 is the IP address of Exchange
access-list Outbound deny tcp any any eq smtp
access-list Outbound deny tcp any any range 6881 6999
access-list Outbound permit ip any any

access-group Outbound in interface inside

James

 
Reply With Quote
 
Ross
Guest
Posts: n/a
 
      07-25-2007
Thank you James! It works.

One more question - if I need to combine one more entry in the future (e.g.
blocking eDonkey), could I simply run one command "access-list Outbound deny
tcp any any eq 4662" without running all the command list you provided from
beginning?
Thanks again,
Ross

"James" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
>
> You can only have one access-list bound to an interface (on an IOS
> rotuer you can have two, one in each direction) so you need to combine
> your entries to look something like this:-
>
> access-list Outbound permit tcp host 10.1.1.1 any eq smtp ! Where
> 10.1.1.1 is the IP address of Exchange
> access-list Outbound deny tcp any any eq smtp
> access-list Outbound deny tcp any any range 6881 6999
> access-list Outbound permit ip any any
>
> access-group Outbound in interface inside
>
> James
>



 
Reply With Quote
 
Rod Dorman
Guest
Posts: n/a
 
      07-25-2007
In article <9130c$46a74ea5$d1d95e48$(E-Mail Removed)>,
Ross <(E-Mail Removed)> wrote:
>One more question - if I need to combine one more entry in the future (e.g.
>blocking eDonkey), could I simply run one command "access-list Outbound deny
>tcp any any eq 4662" without running all the command list you provided from
>beginning?


I don't know what you mean by "running all the command list" but the
general rule of thumb is the first match wins.

--
-- Rod --
rodd(at)polylogics(dot)com
 
Reply With Quote
 
Ross
Guest
Posts: n/a
 
      07-25-2007
Thanks Rod, and sorry for the confusion.
My question was how to INSERT a new rule? For example, if I have a new email
server (10.1.1.2) in the future, and want to allow its outgoing emails, I
probably can not just run "access-list Outbound permit tcp host 10.1.1.2 any
eq smtp" because the first match wins as you said. Instead, I have to run
"no access-group" and "no access-list" one by one, and re-add those rules
one by one again.
Thanks again,
Ross

"Rod Dorman" <(E-Mail Removed)> wrote in message
news:f8830l$ipu$(E-Mail Removed)...
> In article <9130c$46a74ea5$d1d95e48$(E-Mail Removed)>,
> Ross <(E-Mail Removed)> wrote:
>>One more question - if I need to combine one more entry in the future
>>(e.g.
>>blocking eDonkey), could I simply run one command "access-list Outbound
>>deny
>>tcp any any eq 4662" without running all the command list you provided
>>from
>>beginning?

>
> I don't know what you mean by "running all the command list" but the
> general rule of thumb is the first match wins.
>
> --
> -- Rod --
> rodd(at)polylogics(dot)com



 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      07-25-2007
In article <a2408$46a79af1$d1d95e48$(E-Mail Removed)>,
Ross <(E-Mail Removed)> wrote:
>My question was how to INSERT a new rule? For example, if I have a new email
>server (10.1.1.2) in the future, and want to allow its outgoing emails, I
>probably can not just run "access-list Outbound permit tcp host 10.1.1.2 any
>eq smtp" because the first match wins as you said. Instead, I have to run
>"no access-group" and "no access-list" one by one, and re-add those rules
>one by one again.


In PIX 6.3 and later, use 'access-list' with the 'line' parameter. If
the line already exists, the new line gets inserted -before- the
existing line.

http://www.cisco.com/en/US/docs/secu...html#wp1444018
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Block Outbound HTTP except from Proxy jkrainak@yahoo.com Cisco 0 11-21-2006 06:46 PM
Deny all outgoing smtp attempts except for mail server drhopkins@cox.net Cisco 2 03-22-2006 03:41 PM
PIX 501-Closing SMTP to all inside addresses except Server Mac Hammer Cisco 5 06-21-2005 12:09 PM
Redirect Outbound SMTP Traffic to Specific Server - 837 and 2621 Andrew Albert Cisco 3 07-21-2004 10:47 PM



Advertisments