Solved: pix501: allow all incoming smtp to one host and all smtp out fro

shumifan51 · ‎10-25-2012

I have a pix501 and I have a mail server. What I would like to do is ensure that smtp traffic from the web only goes to my mail server and that my mail server is the only machine on my local network that can send to the internet on port 25. This is to secure the possibility of bots on my childrens PCs spamming other users. The mail server has been relay secured for selected PCs only.

To the pix501; I think the following is what I need, but would like somebody to confirm or correct me:

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

...

access-list inbound permit tcp any host x.x.x.x eq smtp

access-list outbound permit tcp host x.x.x.x ant eq smtp

access-group inbound in interface outside

access-group outbound in interface inside

Most important:

1. Have I got the access-lists right? Does pix501 support host x.x.x.x (ip of local webserver 192.168.x.x)

2. Are the access lists the right way around?

3. Is the access-group setup right?

4. Is there anything else that needs doing/

Any help appreciated.

Note: I am a Cisco newbie and trying to learn,

Jennifer Halim · ‎10-25-2012

You are doing absolutely great.

To answer your questions:

1. Yes, you have got the access-list absolutely correct. Yes, PIX supports host x.x.x.x

2. Yes, it is the right way.

3. Yes, absolutely correct.

4. Not really.

Just confirming that for your outbound acl, host should be the private ip, and for inbound acl, host should be public ip, as follows:

access-list inbound permit tcp any host eq smtp

access-list outbound permit tcp host 192.168.1.x any eq smtp

Also, are you using the PIX outside interface ip as the public IP, or you have a spare public ip? If you are using a spare, then your static PAT configuration is correct. But if you are using the PIX outside interface IP, then it should be:

static (inside,outside) tcp interface smtp 192.168.1.x smtp netmask 255.255.255.255

Hope that helps.

View solution in original post

shumifan51 · ‎10-25-2012

Sorry missed the natting bit:

static (inside,outside) tcp x.x.x.x smtp 192.168.1.x smtp netmask 255.255.255.255 0 0

where x.x.x.x is the public IP.

Jennifer Halim · ‎10-25-2012

You are doing absolutely great.

To answer your questions:

1. Yes, you have got the access-list absolutely correct. Yes, PIX supports host x.x.x.x

2. Yes, it is the right way.

3. Yes, absolutely correct.

4. Not really.

Just confirming that for your outbound acl, host should be the private ip, and for inbound acl, host should be public ip, as follows:

access-list inbound permit tcp any host eq smtp

access-list outbound permit tcp host 192.168.1.x any eq smtp

Also, are you using the PIX outside interface ip as the public IP, or you have a spare public ip? If you are using a spare, then your static PAT configuration is correct. But if you are using the PIX outside interface IP, then it should be:

static (inside,outside) tcp interface smtp 192.168.1.x smtp netmask 255.255.255.255

Hope that helps.

shumifan51 · ‎10-25-2012

Your very prompt and detailed response is much appreciated.

shumifan51 · ‎10-26-2012

The outbound access-list has to also allow other traffic (non smtp).

Just putting the one entry to allow the mailserver to send, blocks all other traffic as it is implicitly followed by a 'deny all'.

However,

even after making the the following change, webserver traffic is still denied:

access-list outbound permit tcp host 192.168.1.3 any eq smtp

access-list outbound permit tcp host 192.168.1.36 any eq smtp

access-list outbound permit tcp any any eq www

access-list outbound permit tcp any any

What am I doing wrong? (Note the third line was an initial attempt, but the fourth line should have allowed all through except smtp - I think), but as soon as I tie the outbound access-list to the indise interface, all webserver traffic is also stopped.

access-group outbound in interface inside

Jennifer Halim · ‎10-27-2012

Most probably DNS resolution fails because you haven't allowed it through.

As DNS resolution will happen first before the actual web traffic, pls kindly add the following:

access-list outbound permit udp any any eq 53

shumifan51 · ‎10-29-2012

Thanks for that information.

I thought about this some more, after seeing your response, and I was wondering; if I only want to restrict smtp outbound traffic, but allow all other traffic, would the following work, as I dont have to allow each specific port/ip address:

access-list outbound permit tcp host 192.168.1.3 any eq smtp

access-list outbound permit tcp host 192.168.1.36 any eq smtp

access-list outbound deny tcp any any eq smtp

access-list outbound permit udp any any

access-list outbound permit tcp any any

I realise that this would open all sorts of other security risks, but at least trojans/worms will not be able to spam from PCs other than those listed as per the first 2 lines ( which is my major concern at the moment). As I learn more about the traffic on my network I can block more undesirable ports.

Sorry to be a pain, but this could be useful to other and the more complete the setup, the easier it will be for them.

Jennifer Halim · ‎10-29-2012

Yes, what you have configured will definitely work.

OR, to simplify, you can even configure just this:

access-list outbound permit tcp host 192.168.1.3 any eq smtp

access-list outbound permit tcp host 192.168.1.36 any eq smtp

access-list outbound deny tcp any any eq smtp

access-list outbound permit ip any any

pix501: allow all incoming smtp to one host and all smtp out from one host only