cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3130
Views
5
Helpful
1
Replies

ASA 5510 ACL for blocking outbound SMTP

brandonabrown
Level 1
Level 1

hey everyone...i'm trying to configure a simple ACL to block smtp traffic from leaving my LAN -- basically prevent internal users from setting up internet email accounts in their email clients and sending through that smtp server. i want my Exchange server only to send smtp traffic. here's what i have:

access-list 102 extended permit tcp host 10.10.1.29 eq smtp any eq smtp <===10.10.1.29 is Exchange

access-list 102 extended deny tcp any eq smtp any eq smtp

access-list 102 extended permit ip any any

access-group 102 in interface inside

after i apply this ACL to the ASA, i am still able to send from my internet email address setup in Outlook using my "foreign" smtp server. what am i missing? Thanks very much.

1 Reply 1

many email-clients send mail through port tcp/587 which is used for SMTP with authentication. You need to block that as well.

And your ACL is wrong. It has to be that:

access-list 102 extended permit tcp host 10.10.1.29 any eq smtp
access-list 102 extended deny tcp any any eq smtp
access-list 102 extended deny tcp any any eq 587
access-list 102 extended permit ip any any


Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: