ACL to Protect SMTP (port 25)

scottadamson · ‎01-18-2007

Good day all.

I would like to confirm some thoughs and see if anyone has any other methods of protecting SMTP traffic to/from specific servers.

we have a smto server in a server vlan (vlan 30) and a number of other devices and the community in vlan 1. here is my first attempt, could anyone give me a suggestion as to how to do this better?

permit tcp host x.x.x.7 host 10.x.x.24 eq smtp

permit tcp host x.x.x.65 host 10.x.x.24 eq smtp

permit tcp host 10.x.x.25 host 10.x.x.24 eq smtp

permit tcp host x.x.x.238 host 10.x.x.24 eq smtp

permit tcp host x.x.x.240 host 10.x.x.24 eq smtp

permit tcp host x.x.x.6 host 10.x.x.24 eq smtp

permit tcp host 10.x.x.24 any eq smtp

deny tcp any any eq smtp

permit ip any any

10.x.x.24 is the smtp inbound/outbound server.

this was applied to vlan 30 in.

thoughts, comments, suggestions.

thanks

Scott

sachinraja · ‎01-18-2007

Hello scott

this is one good way to do this.. are u doing this on the PIX ?? if so, why dont you try using object-groups ?? it is much more simpler and can scale upto a large no of ACL's...

do let me know if u need any info on object-groups...

Raj

jmia · ‎01-18-2007

Hi Scott

I would also agree with Raj, your setup looks good. Again as Raj mentions, if you have a large amount of ACLs then Object-Grouping is a better method also is this on a router or PIX?

Jay