Solved: Cisco ASA 5512x - Restrict email delivery to ip address range..

asmitherman · ‎02-03-2013

Hi,

I was wondering how to tighten the security of my email delivery to a range of ip addresses (I know how on my old firewall but the cisco is quite a bit different). Right now anyone sending email to a particular ip address on my firewall can do so. I want to restrict that to two ip address ranges it will accept deliver from. I'm thinking I need two network objects for the two ranges then add to a network object group. Can anyone help with configuring the ACL for delivery using that group if I'm correct about that?

TIA

Al

Jouni Forss · ‎02-03-2013

Hi,

I assume that you have a server or multiple servers on your network behind the ASA and want to restrict SMTP traffic to them and only allow SMTP traffic from certain address ranges?

You might have something like this configured for the server Static NATs

objec network SMTP-SERVER1

host 10.10.10.10

(dmz,outside) static x.x.x.x dns

object network SMTP-SERVER2

host 10.10.10.20

(dmz,outside) static y.y.y.y dns

If so you could simply create the following kind of configurations to restrict traffic to them

object-group network SMTP-SERVERS

network-object object SMTP-SERVER1

network-object object SMTP-SERVER2

object-group network ALLOWED-SMTP-SOURCE

network-object

network-object host

access-list OUTSIDE-IN remark Allowed SMTP connections

access-list OUTSIDE-IN permit tcp object-group ALLOWED-SMTP-SOURCE object-group SMTP-SERVERS eq smtp

access-group OUTSIDE-IN in interface outside

The above configuration does the following

Has 2 example Static NAT configurations for local DMZ servers
Groups those 2 servers to their own object-group SMTP-SERVERS (for easier use in the ACLs)
Creates an object-group that will contain all the public networks and host addresses that are allowed to contact your SMTP servers (for easier use in the ACLs)
Configures an ACL that allows SMTP (TCP/25) connections from "outside" only if the source network for the connection belongs to some address range on the ALLOWED-SMTP-SOURCE object-group and when the destination is either one of your SMTP servers.

Naturally the above object/object-group, access-list and interface names could be different and same for the actual IP addresses.

Also, if you already have an ACL attached to your "outside" interface then naturally you use that and DONT NEED the "access-group" command above. (As its used to attach an ACL to interface which doesnt already have one attached)

- Jouni

View solution in original post

Jouni Forss · ‎02-03-2013

Hi,

I assume that you have a server or multiple servers on your network behind the ASA and want to restrict SMTP traffic to them and only allow SMTP traffic from certain address ranges?

You might have something like this configured for the server Static NATs

objec network SMTP-SERVER1

host 10.10.10.10

(dmz,outside) static x.x.x.x dns

object network SMTP-SERVER2

host 10.10.10.20

(dmz,outside) static y.y.y.y dns

If so you could simply create the following kind of configurations to restrict traffic to them

object-group network SMTP-SERVERS

network-object object SMTP-SERVER1

network-object object SMTP-SERVER2

object-group network ALLOWED-SMTP-SOURCE

network-object

network-object host

access-list OUTSIDE-IN remark Allowed SMTP connections

access-list OUTSIDE-IN permit tcp object-group ALLOWED-SMTP-SOURCE object-group SMTP-SERVERS eq smtp

access-group OUTSIDE-IN in interface outside

The above configuration does the following

Has 2 example Static NAT configurations for local DMZ servers
Groups those 2 servers to their own object-group SMTP-SERVERS (for easier use in the ACLs)
Creates an object-group that will contain all the public networks and host addresses that are allowed to contact your SMTP servers (for easier use in the ACLs)
Configures an ACL that allows SMTP (TCP/25) connections from "outside" only if the source network for the connection belongs to some address range on the ALLOWED-SMTP-SOURCE object-group and when the destination is either one of your SMTP servers.

Naturally the above object/object-group, access-list and interface names could be different and same for the actual IP addresses.

Also, if you already have an ACL attached to your "outside" interface then naturally you use that and DONT NEED the "access-group" command above. (As its used to attach an ACL to interface which doesnt already have one attached)

- Jouni

asmitherman · ‎02-03-2013

Journi, thanks!

I'd kinda figured that after poking around a bit

I'm already restricting my outbound email to those same ip's with a group (outbound_email) from my server (mail_server).

Presently the acl I have for inbound looks like the below:

access-list outside_acl_in extended permit tcp any object mail_server eq smtp

So, I could change that to be:

access-list outside_acl_in extended permit tcp object-group outbound_email object mail_server eq smtp

Granted I may want to duplicate my ip range group and rename it to inbound_email. Having in and out both being named the same may cause confusion for anyone else working on it...

Makes sense?

Thanks again!

Jouni Forss · ‎02-03-2013

Hi,

I would suggest creating a new "object-group" for the allowed address range.

I avoid using the same "object-group" multiple times unless the enviroment is an easy one. I dont want to run into a situation where I might change something I was not meant to do. Nothing prevents you from using the same but as you said yourself, it might cause confusion later on.

If you want to keep the "object-group" to a minumum I would suggest creating an "object-group" that is named logically when used for both purposes.

Could be something like "object-group network ALLOWED-SMTP" which doesnt really state which direction its meant to be used on the ACL.

- Jouni

asmitherman · ‎02-03-2013

Makes sense. I'm all about less clutter. Thanks Jouni!