03-07-2014 02:39 AM - edited 03-11-2019 08:54 PM
Dear all,
We are trying to allow only a specific IP range to connect to our email server on port 25 from an external source.
We are using NAT object policy to allow SMTP traffic through the firewall but this has been configured to allow all SMTP servers to connect on port 25 (resulting in SPAM)
I have attached the NAT Object rules below currently configured:
object network obj_any
nat (inside,outside) dynamic interface
object network imap4
nat (inside,outside) static interface service tcp imap4 imap4
object network smtp
nat (inside,outside) static interface service tcp smtp smtp
object network pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network security1
nat (inside,outside) static interface service tcp 3333 3333
object network security2
nat (inside,outside) static interface service tcp 3000 3000
object network 993
nat (inside,outside) static interface service tcp 993 993
object network 995
nat (inside,outside) static interface service tcp 995 995
object network smtps
nat (inside,outside) static interface service tcp 587 587
object network http
nat (inside,outside) static interface service tcp www www
object network 465
nat (inside,outside) static interface service tcp 465 465
object network imapudp
nat (inside,outside) static interface service udp 143 143
object network imapssl
nat (inside,outside) static interface service tcp 585 585
object network 993udp
nat (inside,outside) static interface service udp 993 993
object network 587udp
nat (inside,outside) static interface service udp 587 587
object network bes
nat (inside,outside) static interface service tcp domain domain
object network besudp
nat (inside,outside) static interface service udp domain domain
object network 3101bes
nat (any,outside) static interface service tcp 3101 3101
object network 465udp
nat (inside,outside) static interface service udp 465 465
object network RDP-3391
nat (any,outside) static interface service tcp 3389 3391
object network HYLBKP1
nat (any,outside) static interface service tcp 3389 3392
object network Exchange_OWA_Private
nat (inside,outside) static interface service tcp https https
I feel the issue can be resolved by adding ACL into the firewall, however, when I have added the below lines into the firewall and deleted the NAT object policy for SMTP, we can not receive any email.
access-list outside_access_in extended permit tcp 84.xxx.xxx.xxx 255.255.255.128 host 192.168.xxx.xxx eq smtp
access-list outside_access_in extended permit tcp 82.xxx.xxx.xxx 255.255.255.224 host 192.168.xxx.xxx eq smtp
Any help or guidence on this would be greatly appreciated as we are being bombarded with SPAM currently and require this lockdown quoet urgently.
Kind regards
Paul
03-07-2014 06:46 AM
You still need the NAT entry to map port 25 (smtp) to your internal host and then add the access-list entry on your outside interface like you had mentioned. You will want to make sure you remove any entries from the access-list that would permit any any eq smtp.
Overall configuration would look something like this:
object network smtp
host 192.168.x.x
nat (inside,outside) static interface service tcp smtp smtp
access-list outside_access_in extended permit tcp 84.xxx.xxx.xxx 255.255.255.128 host 192.168.xxx.xxx eq smtp
access-list outside_access_in extended permit tcp 82.xxx.xxx.xxx 255.255.255.224 host 192.168.xxx.xxx eq smtp
access-group outside_access_in in interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide