How to Block all outbound SMTP except Exchange Server

Discussion in 'Cisco' started by Ross, Jul 20, 2007.

  1. Ross

    Ross Guest

    Hi there,
    I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
    inside the firewall, which are all working well.
    Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
    except from my company's Exchange server.
    Any idea about how to do this is appreciated.
    Ross
     
    Ross, Jul 20, 2007
    #1
    1. Advertising

  2. Ross

    Guest

    On Jul 20, 5:37 pm, "Ross" <> wrote:
    > Hi there,
    > I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
    > inside the firewall, which are all working well.
    > Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
    > except from my company's Exchange server.
    > Any idea about how to do this is appreciated.
    > Ross


    access-list SMTP-CONTROL permit tcp host 10.1.1.1 any eq smtp ! Where
    10.1.1.1 is the IP address of Exchange
    access-list SMTP-CONTROL deny tcp any any eq smtp
    access-list SMTP-CONTROL permit ip any any ! implicit deny any any
    !
    access-group SMTP-CONTROL in interface inside
    !

    Since the access-list gets executed in order, line one runs first and
    wont make it to line two unless it is a TCP connection on port 25 with
    a different IP address. Remember if anyone trys to send any mail
    except the exchange server it will be blocked.
     
    , Jul 21, 2007
    #2
    1. Advertising

  3. Ross

    GNY Guest

    On Jul 20, 10:31 pm, wrote:
    > On Jul 20, 5:37 pm, "Ross" <> wrote:
    >
    > > Hi there,
    > > I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
    > > inside the firewall, which are all working well.
    > > Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
    > > except from my company's Exchange server.
    > > Any idea about how to do this is appreciated.
    > > Ross

    >
    > access-list SMTP-CONTROL permit tcp host 10.1.1.1 any eq smtp ! Where
    > 10.1.1.1 is the IP address of Exchange
    > access-list SMTP-CONTROL deny tcp any any eq smtp
    > access-list SMTP-CONTROL permit ip any any ! implicit deny any any
    > !
    > access-group SMTP-CONTROL in interface inside
    > !
    >
    > Since the access-list gets executed in order, line one runs first and
    > wont make it to line two unless it is a TCP connection on port 25 with
    > a different IP address. Remember if anyone trys to send any mail
    > except the exchange server it will be blocked.


    Sorry to thread jack .. But on an ASA if I was trying to do something
    similar would I have to assign this access-list to an interface? Or is
    this only for IOS routers where you have to assign the ACL to an
    interface?

    Thanks and sorry again ..

    GNY
     
    GNY, Jul 21, 2007
    #3
  4. Ross

    Chris Guest

    On Sat, 21 Jul 2007 15:43:39 -0000, GNY wrote:

    > On Jul 20, 10:31 pm, wrote:
    >> On Jul 20, 5:37 pm, "Ross" <> wrote:
    >>
    >>> Hi there,
    >>> I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
    >>> inside the firewall, which are all working well.
    >>> Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
    >>> except from my company's Exchange server.
    >>> Any idea about how to do this is appreciated.
    >>> Ross

    >>
    >> access-list SMTP-CONTROL permit tcp host 10.1.1.1 any eq smtp ! Where
    >> 10.1.1.1 is the IP address of Exchange
    >> access-list SMTP-CONTROL deny tcp any any eq smtp
    >> access-list SMTP-CONTROL permit ip any any ! implicit deny any any
    >> !
    >> access-group SMTP-CONTROL in interface inside
    >> !
    >>
    >> Since the access-list gets executed in order, line one runs first and
    >> wont make it to line two unless it is a TCP connection on port 25 with
    >> a different IP address. Remember if anyone trys to send any mail
    >> except the exchange server it will be blocked.

    >
    > Sorry to thread jack .. But on an ASA if I was trying to do something
    > similar would I have to assign this access-list to an interface? Or is
    > this only for IOS routers where you have to assign the ACL to an
    > interface?
    >
    > Thanks and sorry again ..
    >
    > GNY



    The example above is for a Pix version 7.x, which is essentially the same
    as an ASA. So yes, you have to apply the access-list to an interface.

    Chris.
     
    Chris, Jul 21, 2007
    #4
  5. Ross

    Ross Guest

    Thanks to everyone!
    It works well with blocking SMTP.
    But it stoped the blocking of bitTorrent. I had a setup for blocking
    bitTorrent, but once I enabled the SMTP blocking, the bitTorrent traffic
    becomes available now.
    Why?

    BTW, here was my setup for blocking BT:
    access-list block_BT deny tcp any any range 6881 6999
    access-list block_BT permit ip any any
    access-group block_BT in interface inside

    Any idea would be appreciated again,
    Ross

    <> wrote in message
    news:...
    > On Jul 20, 5:37 pm, "Ross" <> wrote:
    >> Hi there,
    >> I have a Cisco PIX 515e version 7.2, and I have an Exchange email server
    >> inside the firewall, which are all working well.
    >> Right now, I'm trying to block all outgoing SMTP traffic (over port 25),
    >> except from my company's Exchange server.
    >> Any idea about how to do this is appreciated.
    >> Ross

    >
    > access-list SMTP-CONTROL permit tcp host 10.1.1.1 any eq smtp ! Where
    > 10.1.1.1 is the IP address of Exchange
    > access-list SMTP-CONTROL deny tcp any any eq smtp
    > access-list SMTP-CONTROL permit ip any any ! implicit deny any any
    > !
    > access-group SMTP-CONTROL in interface inside
    > !
    >
    > Since the access-list gets executed in order, line one runs first and
    > wont make it to line two unless it is a TCP connection on port 25 with
    > a different IP address. Remember if anyone trys to send any mail
    > except the exchange server it will be blocked.
    >
     
    Ross, Jul 23, 2007
    #5
  6. Ross

    James Guest

    You can only have one access-list bound to an interface (on an IOS
    rotuer you can have two, one in each direction) so you need to combine
    your entries to look something like this:-

    access-list Outbound permit tcp host 10.1.1.1 any eq smtp ! Where
    10.1.1.1 is the IP address of Exchange
    access-list Outbound deny tcp any any eq smtp
    access-list Outbound deny tcp any any range 6881 6999
    access-list Outbound permit ip any any

    access-group Outbound in interface inside

    James
     
    James, Jul 24, 2007
    #6
  7. Ross

    Ross Guest

    Thank you James! It works.

    One more question - if I need to combine one more entry in the future (e.g.
    blocking eDonkey), could I simply run one command "access-list Outbound deny
    tcp any any eq 4662" without running all the command list you provided from
    beginning?
    Thanks again,
    Ross

    "James" <> wrote in message
    news:...
    >
    > You can only have one access-list bound to an interface (on an IOS
    > rotuer you can have two, one in each direction) so you need to combine
    > your entries to look something like this:-
    >
    > access-list Outbound permit tcp host 10.1.1.1 any eq smtp ! Where
    > 10.1.1.1 is the IP address of Exchange
    > access-list Outbound deny tcp any any eq smtp
    > access-list Outbound deny tcp any any range 6881 6999
    > access-list Outbound permit ip any any
    >
    > access-group Outbound in interface inside
    >
    > James
    >
     
    Ross, Jul 25, 2007
    #7
  8. Ross

    Rod Dorman Guest

    In article <9130c$46a74ea5$d1d95e48$>,
    Ross <> wrote:
    >One more question - if I need to combine one more entry in the future (e.g.
    >blocking eDonkey), could I simply run one command "access-list Outbound deny
    >tcp any any eq 4662" without running all the command list you provided from
    >beginning?


    I don't know what you mean by "running all the command list" but the
    general rule of thumb is the first match wins.

    --
    -- Rod --
    rodd(at)polylogics(dot)com
     
    Rod Dorman, Jul 25, 2007
    #8
  9. Ross

    Ross Guest

    Thanks Rod, and sorry for the confusion.
    My question was how to INSERT a new rule? For example, if I have a new email
    server (10.1.1.2) in the future, and want to allow its outgoing emails, I
    probably can not just run "access-list Outbound permit tcp host 10.1.1.2 any
    eq smtp" because the first match wins as you said. Instead, I have to run
    "no access-group" and "no access-list" one by one, and re-add those rules
    one by one again.
    Thanks again,
    Ross

    "Rod Dorman" <> wrote in message
    news:f8830l$ipu$...
    > In article <9130c$46a74ea5$d1d95e48$>,
    > Ross <> wrote:
    >>One more question - if I need to combine one more entry in the future
    >>(e.g.
    >>blocking eDonkey), could I simply run one command "access-list Outbound
    >>deny
    >>tcp any any eq 4662" without running all the command list you provided
    >>from
    >>beginning?

    >
    > I don't know what you mean by "running all the command list" but the
    > general rule of thumb is the first match wins.
    >
    > --
    > -- Rod --
    > rodd(at)polylogics(dot)com
     
    Ross, Jul 25, 2007
    #9
  10. In article <a2408$46a79af1$d1d95e48$>,
    Ross <> wrote:
    >My question was how to INSERT a new rule? For example, if I have a new email
    >server (10.1.1.2) in the future, and want to allow its outgoing emails, I
    >probably can not just run "access-list Outbound permit tcp host 10.1.1.2 any
    >eq smtp" because the first match wins as you said. Instead, I have to run
    >"no access-group" and "no access-list" one by one, and re-add those rules
    >one by one again.


    In PIX 6.3 and later, use 'access-list' with the 'line' parameter. If
    the line already exists, the new line gets inserted -before- the
    existing line.

    http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1444018
     
    Walter Roberson, Jul 25, 2007
    #10
  11. Ross

    Ross Guest

    Wonderful!
    Thanks a lot, Walter!
    Ross

    "Walter Roberson" <> wrote in message
    news:HCNpi.5731$fJ5.4769@pd7urf1no...
    > In article <a2408$46a79af1$d1d95e48$>,
    > Ross <> wrote:
    >>My question was how to INSERT a new rule? For example, if I have a new
    >>email
    >>server (10.1.1.2) in the future, and want to allow its outgoing emails, I
    >>probably can not just run "access-list Outbound permit tcp host 10.1.1.2
    >>any
    >>eq smtp" because the first match wins as you said. Instead, I have to run
    >>"no access-group" and "no access-list" one by one, and re-add those rules
    >>one by one again.

    >
    > In PIX 6.3 and later, use 'access-list' with the 'line' parameter. If
    > the line already exists, the new line gets inserted -before- the
    > existing line.
    >
    > http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1444018
     
    Ross, Jul 25, 2007
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David K
    Replies:
    2
    Views:
    10,376
    David K
    Jan 9, 2004
  2. Andrew Albert
    Replies:
    3
    Views:
    3,616
    Barry Margolin
    Jul 21, 2004
  3. Mac Hammer
    Replies:
    5
    Views:
    984
    Jyri Korhonen
    Jun 21, 2005
  4. Replies:
    2
    Views:
    763
  5. Replies:
    0
    Views:
    504
Loading...

Share This Page