PIX 501-Closing SMTP to all inside addresses except Server

Discussion in 'Cisco' started by Mac Hammer, Jun 20, 2005.

  1. Mac Hammer

    Mac Hammer Guest

    Hi everyone,

    One of my clients has been added to a DNS Blacklist and one of the
    recommended fixes by the blacklist is to turn off all ability for any
    machine inside the firewall to route Port 25 traffic through the PIX501
    except the legitimate mail server on the network. I am not a pro at
    creating these config statements, only having to touch the PIX501 about
    once a year for modest changes that can usually be duplicated from
    other statements already created.

    Could someone please provide me sample statements that would allow a
    designated mail server to pass SMTP traffic to the outside world while
    denying any other machine the ability to do so? I would appreciate it
    very much!

    Thank you in advance for your assistance.

    Mac Hammer
    Chandler, AZ
     
    Mac Hammer, Jun 20, 2005
    #1
    1. Advertising

  2. "Mac Hammer" <> wrote:

    > Could someone please provide me sample statements that would
    > allow a designated mail server to pass SMTP traffic to the
    > outside world while denying any other machine the ability to
    > do so?


    Email server = 192.168.0.1

    Add the lines below to your existing access-list (you can see
    the name from line "access-group [NAME] in interface inside").
    Note that the order of the access-list lines makes a difference.
    You may want to put the below access-list lines at the top of
    your list because there can be other lines which permit also
    smtp traffic.

    access-list [NAME] permit tcp host 192.168.0.1 any eq 25
    access-list [NAME] deny tcp any any eq 25
     
    Jyri Korhonen, Jun 20, 2005
    #2
    1. Advertising

  3. Mac Hammer

    Mac Hammer Guest

    Thank you!

    I am almost there. I have been talking with one of my colleagues and we
    added these lines:

    access-list inside permit tcp 192.168.1.2 any host 25
    access list inside deny tcp any host any host 25

    This does NOT block 25 traffic for the site. So we added:

    access-group inside in interface inside

    That successfully blocked port 25 traffic! It also blocked pretty much
    any other traffic, so I undid that one!!! :)

    But I still haven't quite gotten there if you can provide additional
    ideas...

    Thank you all.

    Mac Hammer
     
    Mac Hammer, Jun 21, 2005
    #3
  4. Mac Hammer

    Mac Hammer Guest

    Sorry, ammend my last to include the "eq 25" on the end of each line.

    Mac Hammer
     
    Mac Hammer, Jun 21, 2005
    #4
  5. Mac Hammer

    Mac Hammer Guest

    Sorry, ammend my last to include the "eq 25" on the end of each line.

    Mac Hammer
     
    Mac Hammer, Jun 21, 2005
    #5
  6. "Mac Hammer" <> wrote:

    > I am almost there. I have been talking with one of my
    > colleagues and we added these lines:
    >
    > access-list inside permit tcp 192.168.1.2 any host 25
    > access list inside deny tcp any host any host 25
    >
    > This does NOT block 25 traffic for the site. So we added:
    >
    > access-group inside in interface inside
    >
    > That successfully blocked port 25 traffic! It also blocked
    > pretty much any other traffic, so I undid that one!!! :)


    So you didn't have an access-group bound to the inside
    interface before this. Then you need:

    Email server = 192.168.0.1

    access-list inside permit tcp host 192.168.0.1 any eq 25
    access-list inside deny tcp any any eq 25
    access-list inside permit ip any any
    access-group inside in interface inside

    The above has too many any's for my taste but you can
    start with that and tighten it later when you know what
    kind of accesses you need besides SMTP.
     
    Jyri Korhonen, Jun 21, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andre
    Replies:
    7
    Views:
    805
    Andre
    Feb 20, 2005
  2. Dave
    Replies:
    4
    Views:
    5,327
  3. Replies:
    2
    Views:
    762
  4. Ross
    Replies:
    10
    Views:
    3,931
  5. Corbin O'Reilly

    PIX 515 - Open all ports except a few

    Corbin O'Reilly, Aug 15, 2008, in forum: Cisco
    Replies:
    6
    Views:
    1,050
    Walter Roberson
    Aug 16, 2008
Loading...

Share This Page