Thank you all for your time and assistance.
I am looking for a simple solution, whereby our Cisco PIX 501 can be configured correctly to prevent the access of the servers behind it by filtering any IP addresses that do no originate for the USA.
Our Email server is being viciously attacked on port 25, mostly by IP addresses originating from the APNIC, LATNIC and RIPE networks. Thus, causing much unneeded processing power on our servers and upsetting many of our customers due to increased lag time, etc. In addition, most of the SPAM that originates from these countries would ultimately be prevented at the front-line of our network.
We are using a Cisco PIX 501 Firewall running the latest firmware and pdm. Using the syslog and kiwi program, we have been able to generate a list of the malicious IP addresses and have created groups in accordance with their respective IP network range name (ie APNIC, LATNIC, etc). As time goes on, we will continue to see the IP ranges that we missed and add them to the group.
Below is our current applicable "show run", however for some reason we continue to see certain IP addresses in the log files of our mail server that should have been blocked. What are we doing wrong? Please help.
access-list acl_outside deny ip object-group RIPE any access-list acl_outside deny ip object-group SIDTA any access-list acl_outside deny ip object-group APNIC any access-list acl_outside deny ip object-group LACNIC any
object-group network RIPE network-object 81.0.0.0 255.0.0.0 network-object 82.0.0.0 255.0.0.0 network-object 83.0.0.0 255.0.0.0 network-object 85.0.0.0 255.0.0.0 network-object 88.0.0.0 255.0.0.0 network-object 212.0.0.0 255.0.0.0 network-object 213.0.0.0 255.0.0.0 network-object 80.0.0.0 255.0.0.0 network-object 62.0.0.0 255.0.0.0 network-object 84.0.0.0 255.0.0.0 network-object 91.0.0.0 255.0.0.0 network-object 92.0.0.0 255.0.0.0 network-object 93.0.0.0 255.0.0.0 network-object 94.0.0.0 255.0.0.0 network-object 95.0.0.0 255.0.0.0 network-object 86.0.0.0 255.0.0.0 network-object 87.0.0.0 255.0.0.0 network-object 89.0.0.0 255.0.0.0 network-object 90.0.0.0 255.0.0.0 network-object 139.10.0.0 255.255.0.0 network-object 139.12.0.0 255.255.0.0 network-object 139.16.0.0 255.255.0.0 network-object 139.18.0.0 255.255.0.0 network-object 139.24.0.0 255.255.0.0 network-object 139.28.0.0 255.255.0.0 network-object 139.30.0.0 255.255.0.0 network-object 147.83.0.0 255.255.0.0 network-object 147.84.0.0 255.255.0.0 network-object 147.91.0.0 255.255.0.0 network-object 193.0.0.0 255.0.0.0 network-object 194.0.0.0 255.0.0.0 network-object 195.0.0.0 255.0.0.0 network-object 217.0.0.0 255.0.0.0 network-object 58.0.0.0 255.0.0.0 network-object 59.0.0.0 255.0.0.0 network-object 60.0.0.0 255.0.0.0 network-object 61.0.0.0 255.0.0.0 network-object 202.0.0.0 255.0.0.0 network-object 203.0.0.0 255.0.0.0 network-object 210.0.0.0 255.0.0.0 network-object 211.0.0.0 255.0.0.0 network-object 218.0.0.0 255.0.0.0 network-object 219.0.0.0 255.0.0.0 network-object 220.0.0.0 255.0.0.0 network-object 221.0.0.0 255.0.0.0 network-object 222.0.0.0 255.0.0.0 network-object 165.228.0.0 255.255.0.0 network-object 165.229.0.0 255.255.0.0 network-object 168.140.0.0 255.255.0.0 object-group network SIDTA description FR network-object 57.0.0.0 255.0.0.0 object-group network APNIC network-object 116.0.0.0 255.0.0.0 network-object 117.0.0.0 255.0.0.0 network-object 118.0.0.0 255.0.0.0 network-object 119.0.0.0 255.0.0.0 network-object 58.0.0.0 255.0.0.0 network-object 59.0.0.0 255.0.0.0 network-object 60.0.0.0 255.0.0.0 network-object 61.0.0.0 255.0.0.0 network-object 114.0.0.0 255.0.0.0 network-object 115.0.0.0 255.0.0.0 network-object 126.0.0.0 255.0.0.0 network-object 125.0.0.0 255.0.0.0 network-object 124.0.0.0 255.0.0.0 network-object 123.0.0.0 255.0.0.0 network-object 122.0.0.0 255.0.0.0 network-object 121.0.0.0 255.0.0.0 network-object 120.0.0.0 255.0.0.0 network-object 222.0.0.0 255.0.0.0 network-object 221.0.0.0 255.0.0.0 network-object 220.0.0.0 255.0.0.0 network-object 219.0.0.0 255.0.0.0 network-object 218.0.0.0 255.0.0.0 network-object 211.0.0.0 255.0.0.0 network-object 210.0.0.0 255.0.0.0 network-object 203.0.0.0 255.0.0.0 network-object 202.0.0.0 255.0.0.0 network-object 169.208.0.0 255.255.0.0 object-group network LACNIC network-object 200.0.0.0 255.0.0.0 network-object 201.0.0.0 255.0.0.0 network-object 190.0.0.0 255.255.255.0