Access List to Block Outgoing SMTP on PIX

Discussion in 'Cisco' started by David Moneta, Dec 1, 2005.

  1. David Moneta

    David Moneta Guest

    Right now, we have no outbound restrictions. I would like to modify my
    access list on my PIX to deny outbound SMTP except for my mail servers.
    Hopefully this will prevent mass mailing worms from mass mailing.

    Below is our current config. I'm guessing I need to add a second access
    list and apply it to the inside interface. But as this is in a production
    environent, I thought I'd ask for some tips before I start doing in vivo
    testing. Thank you.


    access-list 101 permit icmp any host 17.43.118.3
    access-list 101 permit tcp any host 17.43.118.5 eq smtp
    access-list 101 permit tcp any host 17.43.118.4 eq www
    access-list 101 permit tcp any host 17.43.118.4 eq 443
    access-list 101 permit tcp any host 17.43.118.243 eq ftp-data
    access-list 101 permit tcp any host 17.43.118.243 eq ftp

    access-group 101 in interface outside
     
    David Moneta, Dec 1, 2005
    #1
    1. Advertisements

  2. :Right now, we have no outbound restrictions. I would like to modify my
    :access list on my PIX to deny outbound SMTP except for my mail servers.
    :Hopefully this will prevent mass mailing worms from mass mailing.

    :Below is our current config. I'm guessing I need to add a second access
    :list and apply it to the inside interface. But as this is in a production
    :environent, I thought I'd ask for some tips before I start doing in vivo
    :testing. Thank you.


    :access-list 101 permit tcp any host 17.43.118.5 eq smtp

    :access-group 101 in interface outside

    You are correct about what you need to do. Just remember that if
    you have NAT going on, that the ACL will need to refer to the internal
    IP addresses.

    For example if you have,
    static (inside,outside) 17.43.118.5 192.168.123.5 netmask 255.255.255.255

    then

    access-list in2out permit tcp host 192.168.123.5 any eq smtp
    access-list in2out deny tcp any any eq smtp
    access-list in2out permit ip any any

    access-group in2out in interface inside
     
    Walter Roberson, Dec 1, 2005
    #2
    1. Advertisements

  3. David Moneta

    mcaissie Guest

    You can try this ;

    ** Allow your mailserver to send mail
    access-list 102 permit tcp host [MailServer] any eq smtp

    **Deny all other device to send mail
    access-list 102 deny tcp any any eq smtp

    ** Allow anything else (
    access-list 102 permit ip any any
    access-list 102 permit icmp any any

    **Apply the access-list on your inside interface
    access-group 102 in interface inside
     
    mcaissie, Dec 1, 2005
    #3
  4. icmp is a subset of ip, so the icmp line is redundant.
    You haven't made clear which IP address to substitute for [MailServer] .
    I was specific on this issue in my answer to this question a short time
    ago.
     
    Walter Roberson, Dec 1, 2005
    #4
  5. David Moneta

    mcaissie Guest

    My post was not a reply to yours , wich i haven't red yet when sending
    mine.

    I am sure the original poster will appreciate your more precise answer.

    mcaissie
     
    mcaissie, Dec 1, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.