Access List to Block Outgoing SMTP on PIX

In article , David Moneta wrote: :Right now, we have no outbound restrictions. I would like to modify my :access list on my PIX to deny outbound SMTP except for my mail servers. :Hopefully this will prevent mass mailing worms from mass mailing.

:Below is our current config. I'm guessing I need to add a second access :list and apply it to the inside interface. But as this is in a production :environent, I thought I'd ask for some tips before I start doing in vivo :testing. Thank you.

:access-list 101 permit tcp any host 17.43.118.5 eq smtp

:access-group 101 in interface outside

You are correct about what you need to do. Just remember that if you have NAT going on, that the ACL will need to refer to the internal IP addresses.

For example if you have, static (inside,outside) 17.43.118.5 192.168.123.5 netmask 255.255.255.255

then

access-list in2out permit tcp host 192.168.123.5 any eq smtp access-list in2out deny tcp any any eq smtp access-list in2out permit ip any any

access-group in2out in interface inside

You can try this ;

** Allow your mailserver to send mail access-list 102 permit tcp host [MailServer] any eq smtp

**Deny all other device to send mail access-list 102 deny tcp any any eq smtp

** Allow anything else ( access-list 102 permit ip any any access-list 102 permit icmp any any

**Apply the access-list on your inside interface access-group 102 in interface inside

icmp is a subset of ip, so the icmp line is redundant.

You haven't made clear which IP address to substitute for [MailServer] . I was specific on this issue in my answer to this question a short time ago.

My post was not a reply to yours , wich i haven't red yet when sending mine.

I am sure the original poster will appreciate your more precise answer.

mcaissie