Hi there, I have a Cisco PIX 515e version 7.2, and I have an Exchange email server inside the firewall, which are all working well. Right now, I'm trying to block all outgoing SMTP traffic (over port 25), except from my company's Exchange server. Any idea about how to do this is appreciated. Ross
access-list SMTP-CONTROL permit tcp host 10.1.1.1 any eq smtp ! Where
10.1.1.1 is the IP address of Exchange access-list SMTP-CONTROL deny tcp any any eq smtp access-list SMTP-CONTROL permit ip any any ! implicit deny any any ! access-group SMTP-CONTROL in interface inside !Since the access-list gets executed in order, line one runs first and wont make it to line two unless it is a TCP connection on port 25 with a different IP address. Remember if anyone trys to send any mail except the exchange server it will be blocked.
Sorry to thread jack .. But on an ASA if I was trying to do something similar would I have to assign this access-list to an interface? Or is this only for IOS routers where you have to assign the ACL to an interface?
Thanks and sorry again ..
GNY
The example above is for a Pix version 7.x, which is essentially the same as an ASA. So yes, you have to apply the access-list to an interface.
Chris.
Thanks to everyone! It works well with blocking SMTP. But it stoped the blocking of bitTorrent. I had a setup for blocking bitTorrent, but once I enabled the SMTP blocking, the bitTorrent traffic becomes available now. Why?
BTW, here was my setup for blocking BT: access-list block_BT deny tcp any any range 6881 6999 access-list block_BT permit ip any any access-group block_BT in interface inside
Any idea would be appreciated aga>> Hi there,
You can only have one access-list bound to an interface (on an IOS rotuer you can have two, one in each direction) so you need to combine your entries to look something like this:-
access-list Outbound permit tcp host 10.1.1.1 any eq smtp ! Where
10.1.1.1 is the IP address of Exchange access-list Outbound deny tcp any any eq smtp access-list Outbound deny tcp any any range 6881 6999 access-list Outbound permit ip any anyaccess-group Outbound in interface inside
James
Thank you James! It works.
One more question - if I need to combine one more entry in the future (e.g. blocking eDonkey), could I simply run one command "access-list Outbound deny tcp any any eq 4662" without running all the command list you provided from beginning? Thanks again, Ross
I don't know what you mean by "running all the command list" but the general rule of thumb is the first match wins.
Thanks Rod, and sorry for the confusion. My question was how to INSERT a new rule? For example, if I have a new email server (10.1.1.2) in the future, and want to allow its outgoing emails, I probably can not just run "access-list Outbound permit tcp host 10.1.1.2 any eq smtp" because the first match wins as you said. Instead, I have to run "no access-group" and "no access-list" one by one, and re-add those rules one by one again. Thanks again, Ross
In PIX 6.3 and later, use 'access-list' with the 'line' parameter. If the line already exists, the new line gets inserted -before- the existing line.
Wonderful! Thanks a lot, Walter! Ross
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.