Setting incoming mail to only accept mail from Postini addresses on PIX

Discussion in 'Cisco' started by brizzad505, Oct 14, 2011.

  1. brizzad505

    brizzad505

    Joined:
    Oct 14, 2011
    Messages:
    1
    I took over the IT as Manager/Engineer here at this company about 6 months ago from a Managed Service Provider. I implemented Postini mail security but i am also getting spam coming through that seems to be circumventing Postini and hitting my org. I am no Cisco guru and from I have seen, you guys are. [​IMG]

    What command should I put in or alter in the firewall to allow mail from only the IP ranges for Postini

    This is from Postinis website:
    IP Range
    64.18.0.0 - 64.18.15.255

    CIDR Range
    64.18.0.0/20 64.18.0.0

    IP/Subnet Mask Pair
    64.18.0.0
    mask 255.255.240.0

    Notice what I highlighted in red in the config. Does that look a little funny? Seems like it may be a contradiction in the rules.


    Here is my PIX sh run:

    PIX Version 6.3(5)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 failover security10
    enable password ************** encrypted
    passwd ***************** encrypted
    hostname PixPrimary01
    domain-name wr
    clock summer-time EST recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol h323 ras 3230-3237
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.7 TS2_Internal
    name 192.168.1.8 TS3_Internal
    name 192.168.1.12 Intra1_Internal
    name 192.168.1.2 AS400_Internal
    name 192.168.1.14 TeamSite_Int
    name 192.168.1.9 helpdesk_Int
    name *.*.138.147 TS2_External
    name *.*.138.148 TS3_External
    name *.*.138.142 Intra1_External
    name *.*.138.135 Exchnge_External
    name *.*..138.140 WebDNS_External
    name *.*.138.131 InetRTR_Eth0
    name *.*..138.141 Main_External
    name *.*..138.132 AS400_External
    name *.*.138.144 TeamSite_Ext
    name *.*.138.139 helpdesk_Ext
    name *.*..138.143 HRSupport_Ext
    name *.*.138.146 TS1_External
    name 192.168.1.82 TS1_Internal
    name 192.168.1.81 Mail_Internal
    name 192.168.1.83 HRSupport_Int
    name 192.168.1.84 isynergy_Internal
    name *.*.138.136 isynergy_External
    access-list acl_out permit tcp any host Exchnge_External eq domain
    access-list acl_out permit udp any host Exchnge_External eq domain
    access-list acl_out permit tcp any host Exchnge_External eq https
    access-list acl_out permit tcp any host Intra1_External eq www
    access-list acl_out permit tcp any host Intra1_External eq https
    access-list acl_out permit tcp any host TS3_External eq www
    access-list acl_out permit tcp any host TS3_External eq https
    access-list acl_out permit tcp any host TS2_External eq citrix-ica
    access-list acl_out permit tcp any host TS3_External eq citrix-ica
    access-list acl_out permit tcp any host TS1_External eq citrix-ica
    access-list acl_out permit tcp any host TS1_External eq www
    access-list acl_out permit tcp any host TS1_External eq https
    access-list acl_out permit tcp any host Exchnge_External eq pop3
    access-list acl_out permit tcp any host AS400_External eq www
    access-list acl_out permit tcp any host Exchnge_External eq www
    access-list acl_out permit tcp any host TeamSite_Ext eq www
    access-list acl_out permit tcp any host TeamSite_Ext eq https
    access-list acl_out permit tcp any host helpdesk_Ext eq 9675
    access-list acl_out permit tcp any host HRSupport_Ext eq 9675
    access-list acl_out permit tcp any host HRSupport_Ext eq www
    access-list acl_out permit tcp any host HRSupport_Ext eq https
    access-list acl_out permit tcp any host *.*.138.165 eq h323
    access-list acl_out permit tcp any host *.*.138.165
    access-list acl_out permit tcp any host *.*.138.165 range 3230 3237
    access-list acl_out permit udp any host *.*.138.165 range 3230 3237
    access-list acl_out permit udp any host *.0.0.7
    access-list acl_out permit udp host *.*.138.165 any range 3230 3237
    access-list acl_out permit tcp host *.*.138.165 any range 3230 3237
    access-list acl_out permit tcp host *.*.138.165 any eq h323
    access-list acl_out permit tcp any any eq 3389
    access-list acl_out permit tcp *.*.0.0 255.255.240.0 host Exchnge_External eq smtp
    access-list acl_out permit tcp any host Exchnge_External eq smtp
    access-list acl_out permit tcp any host isynergy_External eq https
    access-list acl_out permit tcp any host isynergy_External eq www
    access-list 100 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.13.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.254.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.14.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.0
    access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list 101 permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
    access-list 103 permit ip 10.1.1.0 255.255.255.0 192.168.9.0 255.255.255.0
    access-list 104 permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
    access-list 106 permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
    access-list 202 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
    access-list 112 permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
    access-list 203 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    access-list acl_inside permit icmp any any echo
    access-list acl_inside permit icmp any any echo-reply
    access-list 204 permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
    access-list 99 permit 192.168.1.0 255.255.255.0
    access-list 99 permit 192.168.2.0 255.255.255.0
    access-list 99 permit 192.168.9.0 255.255.255.0
    access-list 99 permit 192.168.8.0 255.255.255.0
    access-list 99 permit 192.168.100.0 255.255.255.0
    no pager
    mtu outside 1500
    mtu inside 1500
    mtu failover 1500
    ip address outside *.*.138.150 255.255.255.0
    ip address inside 192.168.1.3 255.255.255.0
    ip address failover 172.16.0.3 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-pool 192.168.254.50-192.168.254.100
    ip local pool vpnpool 192.168.254.101-192.168.254.200
    failover
    failover timeout 0:00:00
    failover poll 15
    failover ip address outside *.*.138.134
    failover ip address inside 192.168.1.4
    failover ip address failover 172.16.0.4
    failover link inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 *.*.138.190
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    alias (inside) Intra1_Internal Intra1_External 255.255.255.255
    alias (inside) TS2_Internal TS2_External 255.255.255.255
    alias (inside) TS3_Internal TS3_External 255.255.255.255
    alias (inside) TeamSite_Int TeamSite_Ext 255.255.255.255
    alias (inside) TS1_Internal TS1_External 255.255.255.255
    alias (inside) Mail_Internal Exchnge_External 255.255.255.255
    alias (inside) isynergy_Internal isynergy_External 255.255.255.255
    static (inside,outside) Intra1_External Intra1_Internal netmask 255.255.255.255 0 0
    static (inside,outside) TS2_External TS2_Internal netmask 255.255.255.255 0 0
    static (inside,outside) TS3_External TS3_Internal netmask 255.255.255.255 0 0
    static (inside,outside) Main_External 192.168.1.11 netmask 255.255.255.255 0 0
    static (inside,outside) AS400_External AS400_Internal netmask 255.255.255.255 0 0
    static (inside,outside) TeamSite_Ext TeamSite_Int netmask 255.255.255.255 0 0
    static (inside,outside) helpdesk_Ext helpdesk_Int netmask 255.255.255.255 0 0
    static (inside,outside) TS1_External TS1_Internal netmask 255.255.255.255 0 0
    static (inside,outside) Exchnge_External Mail_Internal netmask 255.255.255.255 0 0
    static (inside,outside) HRSupport_Ext HRSupport_Int netmask 255.255.255.255 0 0
    static (inside,outside) isynergy_External isynergy_Internal netmask 255.255.255.255 0 0
    access-group acl_out in interface outside
    route outside 0.0.0.0 0.0.0.0 InetRTR_Eth0 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    snmp-server location Nowhere,USA
    snmp-server contact Brizzad505
    snmp-server community MyCompany
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt noproxyarp inside
    service resetinbound
    crypto ipsec transform-set cm-tranformset-1 esp-des esp-md5-hmac
    crypto dynamic-map cisco 1 set transform-set cm-tranformset-1
    crypto map InternetVPN 1 ipsec-isakmp
    crypto map InternetVPN 1 match address 102
    crypto map InternetVPN 1 set peer *.*.130.58
    crypto map InternetVPN 1 set transform-set cm-tranformset-1
    crypto map InternetVPN interface outside
    isakmp enable outside
    isakmp key ******** address *.*.130.58 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des
    isakmp policy 1 hash md5
    isakmp policy 1 group 1
    isakmp policy 1 lifetime 86400
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 192.168.1.0 255.255.255.0 failover
    telnet timeout 10
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 60
    console timeout 0
    username ******* password *********** encrypted privilege 2
    terminal width 80
    Cryptochecksum:*********************
    : end



    Also, I would like to add that most of this crap we donwt even use anymore. We dont have as400, Main, Intra1, Mail (now its exchge) TS2 and TS3 servers.

    Any help for a Cisco Noob would be appreciated.
    What a mess i have to clean up
     
    brizzad505, Oct 14, 2011
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. rawalls

    Postini

    rawalls, Apr 13, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    567
    rawalls
    Apr 13, 2004
  2. ®nevillenevilleson®

    accept only the best in weather forecasting

    ®nevillenevilleson®, Nov 14, 2005, in forum: Computer Support
    Replies:
    0
    Views:
    369
    ®nevillenevilleson®
    Nov 14, 2005
  3. Lookout
    Replies:
    3
    Views:
    1,239
    Lookout
    Apr 9, 2006
  4. Lookout
    Replies:
    3
    Views:
    693
    Beauregard T. Shagnasty
    Aug 17, 2006
  5. Michael Bower
    Replies:
    3
    Views:
    4,774
    beenthere
    Oct 1, 2006
Loading...

Share This Page