Jay - thanks for the info. I do need smtp traffic from my exchange server (10.80.80.10) to leave the internal network. The problem is that apparantly we have been infected with a virus contains its own SMTP server. Therefore I want to block all SMTP traffic except from the Exchange server.

Thanks!

Orv,

OK, If this server has ben infected with virus then I would take it off-line and run apporiate ant-virus software on it first before bringing it back on line!!

What sort of ant-virus software have you got running, if any? Do you know the type of virus it is?

If you are running McAfee then download stinger.exe from McAfee website and run this on the server off-line and see what it picks up. If you can not locate stinger from McAfee website then do a search on google for it.

You can also apply ACL filtering on the pix for specific virus ports.

I would take this server off-line first and patch it up with the apporiate anti-virus patches!

Let me know if you need further help.

Jay

Orv,

Also, forgot to add on my other post, have a read of this post of mine:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd7ea28/0#selected_message

Hope this is of help.

Jay

We have checked all of our servers/workstations. However, we have nine branch offices and several teleworkers that all connect to a Cisco 3005 VPN concentrator. We use Symantec Enterprise for servers and workstations. Combination of TrendMicro and AVG on laptops.

The port 25 blocking was recommended by the blacklist we were put on as a "Best Practice".

Thanks for the other link as well. Good info.

On the acl if I do the deny any any eq 25 then a permit 10.80.80.10 any eq 25 will that work?

Thanks again for your assistance.

Orv,

On the ACL if you deny everything for port 25 then try to permit for port 25 this will not work as the order of the ACL works from top down so if it matchs a rule it will be actioned and will nerver read the following permit rule. But your problem from what I can make out is with smtp virus - correct, so to block port 25 and then try to allow for port 25 will not resolve your problem!

You mention that you have been put on a blacklist - why so? Was it for e-mail relaying or propergating virus? I would suggest two things here, 1. try out those ACLs from my 2nd post for port 445 etc and see if this picks up anything. 2. If you have a free switch port on the inside, download Ethereal and scan for ports 445 et al and see which hosts are propergating on those mentioned ports.

Hope this helps out a little.

Jay

Yes - we were listed on the Composite Blocking List for propegating virus.

I will run Ethereal - i have a laptop running Auditor that I can plug in. what do you recommend for a permanent Ethereal system? it seems to use quite a bit of resources if it runs for more than a day or two.

Thanks

Orv,

Yes Ethereal does take up a lot of resource, you can setup syslog for the pix with the ACL filters for port 445/137 etc. I had a customer not so long ago with exact problem as you and Ethreal came to the rescue and it's FREE!

You could take snap-shots of data flow from your network, say for half an hour at a time for those ports so not to take up too much resource.

Let me know how you get on and good luck.

Jay