Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
5
Helpful
3
Replies

Allowing SMTP traffic from on a few IP ranges

Go to solution
smartnet
Level 1
Level 1

‎10-28-2003 09:58 AM - edited ‎03-09-2019 05:18 AM

I need to configure my PIX 506E to only allow SMTP traffic from certain IP ranges to my mail server. However, I am un-sure on the proper method of accomplishing this task. If I put in access lists for each range and nothing else associated with SMTP would that accomplish the task?

Any help would be great!

Thanks,

Michael Laro

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bfl1
Level 1
Level 1
In response to smartnet

‎11-01-2003 11:53 AM

One thing that may help is to use "object grouping". With object grouping, you can group networks, protocols, and services (ftp,smtp, etc...). If you have a handful of IP addresses and/or subnets that you want to allow SMTP access to your mail server, you could do it similar to this. Remember, by default NO traffic can come from the internet, through your outside interface, and in to your private network. So if you say give the following addresses permissions, then only they will be allowed and noone else. Here is an example of object grouping.

SMTP Server address: 172.17.1.1

Addresses you want to allow SMTP: 32.18.7.0/24, 204.215.18.0/24, and 113.113.45.1, and 118.55.34.20.

pixfirewall(config)# object-group network MAIL

pixfirewall(config-network)# network-object 32.18.7.0 255.255.255.0

pixfirewall(config-network)# network-object 204.215.18.0 255.255.255.0

pixfirewall(config-network)# network-object host 113.113.45.1

pixfirewall(config-network)# network-object host 118.55.34.20

Now create your access-list:

pixfirewall(config)# access-list COMING-IN permit tcp object-group MAIL host 172.17.1.1 eq smtp

pixfirewall(config)# access-group COMING-IN in interface outside

This will allow the networks and ip addresses you defined in the network goup called "MAIL" access to your mail server. Hope this helps.

View solution in original post

3 Replies 3

Go to solution
mhoda
Level 5
Level 5

‎10-28-2003 10:37 PM

Michael,

Couple of things need to be configured for the smtp access from outside to inside..

static (inside,outside) tcp interface smtp smtp_inside_ip_address smtp

access-list 101 permit tcp network_address mask interface eq smtp

access-group 101 in interface outside

I hope this helps ! Thanks,

Mynul

0 Helpful

Go to solution
smartnet
Level 1
Level 1
In response to mhoda

‎10-31-2003 01:56 PM

Mynul,

Thanks for the information. That is how I currently have my PIX configured now. I would like to allow only SMTP from a few IP ranges. I am not sure of the proper configurations of this.

Thanks

0 Helpful

Go to solution
bfl1
Level 1
Level 1
In response to smartnet

‎11-01-2003 11:53 AM

One thing that may help is to use "object grouping". With object grouping, you can group networks, protocols, and services (ftp,smtp, etc...). If you have a handful of IP addresses and/or subnets that you want to allow SMTP access to your mail server, you could do it similar to this. Remember, by default NO traffic can come from the internet, through your outside interface, and in to your private network. So if you say give the following addresses permissions, then only they will be allowed and noone else. Here is an example of object grouping.

SMTP Server address: 172.17.1.1

Addresses you want to allow SMTP: 32.18.7.0/24, 204.215.18.0/24, and 113.113.45.1, and 118.55.34.20.

pixfirewall(config)# object-group network MAIL

pixfirewall(config-network)# network-object 32.18.7.0 255.255.255.0

pixfirewall(config-network)# network-object 204.215.18.0 255.255.255.0

pixfirewall(config-network)# network-object host 113.113.45.1

pixfirewall(config-network)# network-object host 118.55.34.20

Now create your access-list:

pixfirewall(config)# access-list COMING-IN permit tcp object-group MAIL host 172.17.1.1 eq smtp

pixfirewall(config)# access-group COMING-IN in interface outside

This will allow the networks and ip addresses you defined in the network goup called "MAIL" access to your mail server. Hope this helps.

Customers Also Viewed These Support Documents