pix 506e - easy question

jjacobson — Mon, 11 Mar 2019 09:15:41 GMT

I'm implementing a Postini (anti-spam) solution for a small company. Currently my pix allows smtp traffic from anywhere on the outside. How do I configure it to only accept smtp traffic from an IP range of 64.18.0.0 to 64.18.15.255/20 (this is Postini's network range)? How do I implement this, thank you in advance.

Re: pix 506e - easy question

bthibode — Fri, 05 Jan 2007 02:33:44 GMT

Ok, I am assuming that you are using access-lists not conduits and you have more than one public IP address from your ISP (not port forwarding on a single public ip).

Lets say your public IP address you're using for your mail server is 65.12.32.2 and the inside (real) IP address for your mail server is 192.168.1.2. In the senerio I just described, you have something like this in your config:

static (inside,outside) 65.12.32.2 192.168.1.2 netmask 255.255.255.255

access-list outside_in permit tcp any host 65.12.32.2 eq 25

access-group outside_in in interface outside

In this case we are allowing smtp (tcp 25) from anywhere on the internet to 65.12.32.2 (our mail server's public IP address). You stated that you only want to allow mail traffic from 64.18.0.0/20. All you would have to do in this case add the following access-list:

access-list outside_in permit tcp 64.18.0.0 255.255.240.0 host 65.12.32.2 eq 25

Then remove the old access-list and you're done! Your new config will have the followig entries:

static (inside,outside) 65.12.32.2 192.168.1.2 netmask 255.255.255.255

access-list outside_in permit tcp 64.18.0.0 255.255.240.0 host 65.12.32.2 eq 25

access-group outside_in in interface outside

Please let me know if this helps

Bryan

topic pix 506e - easy question in Network Security

pix 506e - easy question

Re: pix 506e - easy question