Hi,
I am trying to block outbound SMTP traffic to all IPs other than yy.yy.3.98
The config below allows all SMTP traffic, but as soon as I add the following line and reboot:
I can't telnet to yy.yy.3.98 on port 25 or send email (obviously). So it looks like it manages to block the SMTP traffic but not to exempt the specified IP.
Can anyone spot the obvious mistake?
: Saved : Written by enable_15 at 00:01:45.483 UTC Fri Jan 1 1993 PIX Version 6.3(1) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name mydomain.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name xx.xx.xx.200 public-lan access-list acl_out permit tcp host yy.yy.3.98 any eq smtp access-list acl_out permit ip any any access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in permit icmp any any unreachable access-list outside_access_in permit icmp any any time-exceeded access-list outside_access_in permit tcp any host xx.xx.xx.201 eq www access-list outside_access_in permit tcp any host xx.xx.xx.201 eq domain access-list outside_access_in permit udp any host xx.xx.xx.201 eq domain access-list outside_access_in permit ip any host xx.xx.xx.204 access-list outside_access_in permit ip any host xx.xx.xx.203 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside xx.xx.xx.202 255.255.255.248 ip address inside 192.168.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.0.5 255.255.255.255 inside pdm location 192.168.0.50 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.0.0 255.255.255.0 0 0 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) xx.xx.xx.204 192.168.0.29 netmask 255.255.255.255 0 0 static (inside,outside) xx.xx.xx.203 192.168.0.26 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group acl_out in interface inside route-map outside_access_in permit 10 route outside 0.0.0.0 0.0.0.0 xx.xx.xx.206 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http public-lan 255.255.255.248 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.0.50-192.168.0.100 inside dhcpd dns yy.yy.3.100 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd domain mydomain.com dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:0987d9a2043d670cce0ef16ccf1a5aa6 : end