10-25-2012 05:10 AM - edited 03-11-2019 05:13 PM
I have a pix501 and I have a mail server. What I would like to do is ensure that smtp traffic from the web only goes to my mail server and that my mail server is the only machine on my local network that can send to the internet on port 25. This is to secure the possibility of bots on my childrens PCs spamming other users. The mail server has been relay secured for selected PCs only.
To the pix501; I think the following is what I need, but would like somebody to confirm or correct me:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
...
access-list inbound permit tcp any host x.x.x.x eq smtp
access-list outbound permit tcp host x.x.x.x ant eq smtp
access-group inbound in interface outside
access-group outbound in interface inside
Most important:
1. Have I got the access-lists right? Does pix501 support host x.x.x.x (ip of local webserver 192.168.x.x)
2. Are the access lists the right way around?
3. Is the access-group setup right?
4. Is there anything else that needs doing/
Any help appreciated.
Note: I am a Cisco newbie and trying to learn,
Solved! Go to Solution.
10-25-2012 05:35 AM
You are doing absolutely great.
To answer your questions:
1. Yes, you have got the access-list absolutely correct. Yes, PIX supports host x.x.x.x
2. Yes, it is the right way.
3. Yes, absolutely correct.
4. Not really.
Just confirming that for your outbound acl, host should be the private ip, and for inbound acl, host should be public ip, as follows:
access-list inbound permit tcp any host
access-list outbound permit tcp host 192.168.1.x any eq smtp
Also, are you using the PIX outside interface ip as the public IP, or you have a spare public ip? If you are using a spare, then your static PAT configuration is correct. But if you are using the PIX outside interface IP, then it should be:
static (inside,outside) tcp interface smtp 192.168.1.x smtp netmask 255.255.255.255
Hope that helps.
10-25-2012 05:19 AM
Sorry missed the natting bit:
static (inside,outside) tcp x.x.x.x smtp 192.168.1.x smtp netmask 255.255.255.255 0 0
where x.x.x.x is the public IP.
10-25-2012 05:35 AM
You are doing absolutely great.
To answer your questions:
1. Yes, you have got the access-list absolutely correct. Yes, PIX supports host x.x.x.x
2. Yes, it is the right way.
3. Yes, absolutely correct.
4. Not really.
Just confirming that for your outbound acl, host should be the private ip, and for inbound acl, host should be public ip, as follows:
access-list inbound permit tcp any host
access-list outbound permit tcp host 192.168.1.x any eq smtp
Also, are you using the PIX outside interface ip as the public IP, or you have a spare public ip? If you are using a spare, then your static PAT configuration is correct. But if you are using the PIX outside interface IP, then it should be:
static (inside,outside) tcp interface smtp 192.168.1.x smtp netmask 255.255.255.255
Hope that helps.
10-25-2012 06:01 AM
Your very prompt and detailed response is much appreciated.
10-26-2012 10:05 AM
The outbound access-list has to also allow other traffic (non smtp).
Just putting the one entry to allow the mailserver to send, blocks all other traffic as it is implicitly followed by a 'deny all'.
However,
even after making the the following change, webserver traffic is still denied:
access-list outbound permit tcp host 192.168.1.3 any eq smtp
access-list outbound permit tcp host 192.168.1.36 any eq smtp
access-list outbound permit tcp any any eq www
access-list outbound permit tcp any any
What am I doing wrong? (Note the third line was an initial attempt, but the fourth line should have allowed all through except smtp - I think), but as soon as I tie the outbound access-list to the indise interface, all webserver traffic is also stopped.
access-group outbound in interface inside
10-27-2012 06:07 PM
Most probably DNS resolution fails because you haven't allowed it through.
As DNS resolution will happen first before the actual web traffic, pls kindly add the following:
access-list outbound permit udp any any eq 53
10-29-2012 03:30 AM
Thanks for that information.
I thought about this some more, after seeing your response, and I was wondering; if I only want to restrict smtp outbound traffic, but allow all other traffic, would the following work, as I dont have to allow each specific port/ip address:
access-list outbound permit tcp host 192.168.1.3 any eq smtp
access-list outbound permit tcp host 192.168.1.36 any eq smtp
access-list outbound deny tcp any any eq smtp
access-list outbound permit udp any any
access-list outbound permit tcp any any
I realise that this would open all sorts of other security risks, but at least trojans/worms will not be able to spam from PCs other than those listed as per the first 2 lines ( which is my major concern at the moment). As I learn more about the traffic on my network I can block more undesirable ports.
Sorry to be a pain, but this could be useful to other and the more complete the setup, the easier it will be for them.
10-29-2012 04:07 AM
Yes, what you have configured will definitely work.
OR, to simplify, you can even configure just this:
access-list outbound permit tcp host 192.168.1.3 any eq smtp
access-list outbound permit tcp host 192.168.1.36 any eq smtp
access-list outbound deny tcp any any eq smtp
access-list outbound permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide