1. Home
  2. Cisco Systems
  3. PIX 501-Closing SMTP to all inside addresses except Server

PIX 501-Closing SMTP to all inside addresses except Server

Hi everyone,

One of my clients has been added to a DNS Blacklist and one of the recommended fixes by the blacklist is to turn off all ability for any machine inside the firewall to route Port 25 traffic through the PIX501 except the legitimate mail server on the network. I am not a pro at creating these config statements, only having to touch the PIX501 about once a year for modest changes that can usually be duplicated from other statements already created.

Could someone please provide me sample statements that would allow a designated mail server to pass SMTP traffic to the outside world while denying any other machine the ability to do so? I would appreciate it very much!

Thank you in advance for your assistance.

Mac Hammer Chandler, AZ

Reply to
Mac Hammer
Loading thread data ...

Email server = 192.168.0.1

Add the lines below to your existing access-list (you can see the name from line "access-group [NAME] in interface inside"). Note that the order of the access-list lines makes a difference. You may want to put the below access-list lines at the top of your list because there can be other lines which permit also smtp traffic.

access-list [NAME] permit tcp host 192.168.0.1 any eq 25 access-list [NAME] deny tcp any any eq 25

Reply to
Jyri Korhonen

Thank you!

I am almost there. I have been talking with one of my colleagues and we added these lines:

access-list inside permit tcp 192.168.1.2 any host 25 access list inside deny tcp any host any host 25

This does NOT block 25 traffic for the site. So we added:

access-group inside in interface inside

That successfully blocked port 25 traffic! It also blocked pretty much any other traffic, so I undid that one!!! :)

But I still haven't quite gotten there if you can provide additional ideas...

Thank you all.

Mac Hammer

Reply to
Mac Hammer

Sorry, ammend my last to include the "eq 25" on the end of each line.

Mac Hammer

Reply to
Mac Hammer

Sorry, ammend my last to include the "eq 25" on the end of each line.

Mac Hammer

Reply to
Mac Hammer

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.