Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
0
Helpful
4
Replies

asa5505 to configure smtp for some applications & exchange server only

yiuyuenyan
Level 1
Level 1

‎12-06-2011 09:08 AM - edited ‎03-11-2019 02:59 PM

Dear All, I recently modify the asa5505 config file, here is the orginal config file , it working fine , but you know recently the spammer is serious & I wana to block the smtp out , only the host 192.168.0.200 ( a exchange server ) can send email outside , and all workstations include 192.168.0.x /24

will be deny to send or telnet outside port 25 , then I make changes in the config, the changes is under the config file ****

and then I found one problem,some workstation need to smtp except 192.168.0.200 , the ip address is 210.177.52.51 255.255.255.x port 25 & 110

any sugguestion for the modify if in this case ?

the aim :

deny 192.168.0.x smtp but except 192.168.0.200 ( exchange server )

allow 192.168.0.200 smtp outside

allow 192.168.0.7 smtp & pop3 to 210.177.52.51


ASA Version 8.3(1) ---------------------------------------------------here is the orginal config, not have block smtp yet

!
hostname ciscoasa
enable password QYbvNqsfr1Nd322l encrypted
passwd 9VFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 208.128.250.182 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network uvnc_7070
host 192.168.0.200
object network web_80
host 192.168.0.200
object network pop3_110
host 192.168.0.200
object network smtp_25
host 192.168.0.200
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_25
subnet 192.168.100.0 255.255.255.128
object network rdp_38382
host 192.168.0.200
object network trend_4343
host 192.168.0.200
access-list OUTSIDE-IN extended permit tcp any host 192.168.0.200 eq 7070
access-list OUTSIDE-IN extended permit tcp any host 192.168.0.200 eq www
access-list OUTSIDE-IN extended permit tcp any host 192.168.0.200 eq pop3
access-list OUTSIDE-IN extended permit tcp any host 192.168.0.200 eq smtp
access-list OUTSIDE-IN extended permit tcp any host 192.168.0.200 eq 38382
access-list OUTSIDE-IN extended permit tcp any host 192.168.0.200 eq 4343
access-list Split_Tunnel_List remark The corporate network behind the ASA.
access-list Split_Tunnel_List standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.100.1-192.168.100.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.100.0_25 NETWORK_OBJ_192.168.100.0_25
!
object network obj_any
nat (inside,outside) dynamic interface
object network uvnc_7070
nat (inside,outside) static interface service tcp 7070 7070
object network web_80
nat (inside,outside) static interface service tcp www www
object network pop3_110
nat (inside,outside) static interface service tcp pop3 pop3
object network smtp_25
nat (inside,outside) static interface service tcp smtp smtp
object network rdp_38382
nat (inside,outside) static interface service tcp 38382 38382
object network trend_4343
nat (inside,outside) static interface service tcp 4343 4343
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 208.128.250.181 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.110-192.168.0.160 inside
dhcpd dns 210.0.128.251 203.184.245.250 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNGP internal
group-policy VPNGP attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
username jack password Kkh42VKbshoJ4JMv encrypted privilege 15
username alert password /SUL6iHoyXobOco7 encrypted privilege 0
username alert attributes
vpn-group-policy VPNGP
tunnel-group VPNGP type remote-access
tunnel-group VPNGP general-attributes
address-pool VPNPOOL
default-group-policy VPNGP
tunnel-group VPNGP ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:84453b3ecde3520c6cf0f35ffff10fa3

**** this is I modify after like this ****

1)access-list inside_in extended permit tcp host 192.168.0.200 eq 25 any

I want to allows the server 192.168.0.200  to be accessed by any host on port 25.

2)access-group inside_in in interface inside

3)access-list inside_in extended permit tcp any any eq 80

I want to permits all the inside hosts to access any host on the outside on port 80.

4)access-list inside_in extended permit tcp any any eq 443

I want to permits all the inside hosts to access any host on the outside on port 443.

5)access-list inside_in extended permit tcp any any eq 143

I want to permits all the inside hosts to access any host on the outside on port 143.


6)access-list inside_in extended permit tcp any any eq 3389

I want to  permits all the inside hosts to access any host on the outside on port 3389.

7)access-list inside_in extended permit udp any any

I want to permits all the inside hosts to access any host on the outside for udp.

8)access-list inside_in extended permit tcp host 192.168.0.200 eq pop3 any

I want to allows the server 192.168.0.200  to be accessed by any host on port 110 (POP3).

9)access-list inside_in extended permit tcp host 192.168.0.200 any eq 25

I want to allows server 192.168.0.200 to access any host on the outside on port 25.

I just temporary use these 2 command to allow, but I really wana to block smtp outside and allow some ip address to smtp only

1)access-list inside_in extended permit tcp any any eq 25

2)access-list inside_in extended permit tcp any any eq 110

end

Labels:
0 Helpful
4 Replies 4

Kureli Sankar
Cisco Employee
Cisco Employee

‎12-08-2011 01:40 PM

access-list inside_in extended permit tcp any any eq 80

access-list inside_in extended permit tcp any any eq 443

access-list inside_in extended permit tcp any any eq 143

access-list inside_in extended permit tcp any any eq 3389

access-list inside_in extended permit udp any any

access-list inside_in extended permit tcp host 192.168.0.200 any eq 25  ---Note the change

access-list inside_in extended permit tcp host 192.168.0.200 any eq 110 ---Note the change

access-group insidde_in in interface inside

To allow all internet mail server to send mail to your exchange server 192.168.0.200, you need to allow that via the ACl applied on the outside interface which you have already done.

-Kureli

0 Helpful

yiuyuenyan
Level 1
Level 1
In response to Kureli Sankar

‎12-09-2011 04:27 AM

yep, outside-in is no problem , the port 25 I already open to any in the config file

I just want workstation (inside 192.168.0.7) to access outside 210.177.52.51 port 25 & 110

and deny all workstations to use another smtp server , except 192.168.0.200 ( Exchange server ) , do you think it is possible to be ?

0 Helpful

yiuyuenyan
Level 1
Level 1
In response to yiuyuenyan

‎12-09-2011 07:50 AM

finally I modify the lines

access-list inside_in extended permit tcp host 192.168.0.7 210.177.52.51 255.255.255.255 eq 25

access-list inside_in extended permit tcp host 192.168.0.7 210.177.52.51 255.255.255.255 eq 110

it works!! , thank you for remind Poonquzhali Sankar

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to yiuyuenyan

‎12-09-2011 07:55 AM

Awesome! Glad to hear. Mark the discussion as resolved if you believe it is resolved so, others don't spin their cycles trying to answer it.

-Kureli

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card