Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1767
Views
0
Helpful
2
Replies

Deny outbound SMTP traffic for IP range

donohoecompanies
Level 1
Level 1

‎12-03-2019 04:58 AM - edited ‎02-21-2020 09:44 AM

Our production network is 172.16.4.0 255.255.252.0 with a usable IP range of 172.16.4.1 to 172.16.7.254. We want to block any IP from 172.16.7.1 to 172.16.7.254 from sending outbound SMTP traffic. I'm fairly sure this is the correct ACL rule using an inverse netmask to do that:

 

access-list inside-in extended deny ip 172.16.7.0 0.0.0.255 any eq 25

 

Would someone please let me know if that's right?

 

0 Helpful
2 Replies 2

Seb Rupik
VIP Alumni
VIP Alumni

‎12-03-2019 05:13 AM

Hi there,

The cisco ASA uses a network mask and not a wildcard mask in its ACL. You will need to change it to 255.255.255.0 .

As for placement of the ACL you will want to configure it inbound on the nearest interface which routes traffic sourced from 172.16.7.0/24

 

cheers,

Seb.

0 Helpful

Karsten Iwen
VIP
VIP

‎12-05-2019 01:51 AM

As Seb mentioned, on the ASA you need a netmask and not a wildcard mask. And this one line will not stop SMTP completely. If you want to block SMTP completely you also have to deny SMTPS tcp/465 and Submission tcp/587. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card