cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
697
Views
0
Helpful
5
Replies

How can i block SMTP for all users but email server

pgershkovich
Level 1
Level 1

I cant figure out (1) how can i deny port 25 to all users on network and permit smtp for Exchange server, also I have MS Exchange which runs web and smtp and in my configuration below you can see that it has static mapping to publick ip with http/smtp only, so (2) how can i separate incoming traffic going to one publc IP on outside to to servers on inside ex: (Public ip address of MSexchange is x.x.x.207 -> http = 172.16.2.13, smtp = 172.16.2.14)

Thank you

___________________________________________________

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

names

name 172.16.4.10 pdc

name 172.168.4.11 llc

name 172.16.4.11 ftp

object-group service email tcp

port-object eq www

port-object eq smtp

object-group service terminal tcp-udp

port-object range 3389 3389

object-group service mw tcp-udp

port-object range 367 367

object-group service radmin tcp

description RemoteAdmin

port-object range 4899 4899

object-group service mw1 tcp

port-object range 367 367

access-list 101 deny tcp any any eq smtp

access-list 101 permit tcp any host x.x.x.251 object-group terminal

access-list 101 permit tcp any host x.x.x.214 object-group radmin

access-list 101 permit tcp any host x.x.x.207 object-group email

access-list 101 permit tcp any host x.x.x.212 object-group mw1

access-list 101 permit tcp any host x.x.x.211 eq ftp

access-list nonat permit ip any 192.168.101.0 255.255.255.240

ip address outside x.x.x.194 255.255.255.192

ip address inside 172.16.2.1 255.255.0.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm drop

ip local pool mypool 192.168.101.1-192.168.101.20

no pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list nonat

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.212 172.16.4.12 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.251 172.16.4.51 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.214 pdc netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.211 ftp netmask 255.255.255.255 0 0

'REM####################172.16.2.13 is Exchange with Web Outlook servers####

static (inside,outside) x.x.x.207 172.16.2.13 netmask 255.255.255.255 0 0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.193 1

floodguard enable

sysopt connection permit-pptp

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40

vpdn group PPTP-VPDN-GROUP client configuration address local mypool

vpdn group PPTP-VPDN-GROUP client configuration dns 172.16.2.6 172.16.4.6

vpdn group PPTP-VPDN-GROUP client configuration wins nymc_pdc

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username ******** password *********

vpdn enable outside

1 Accepted Solution

Accepted Solutions

Here's your problem:

access-group 101 in interface outside

You are binding this access list to your outside interface. This means the rules are applied to traffic coming IN to your network. The implicit ip any any rule is because you haven't bound an access list to your inside interface.

To block users from going OUT, you'll need this:

access-list GOING-OUT permit tcp host exchange_IP any eq smtp

access-list GOING-OUT deny tcp any any eq smtp

access-group GOING-OUT in interface inside

See how this access list is bound to the inside interface... it will affect traffic leaving your network. Note: Once you apply this to the inside interface it will remove the implicit permit any any.

View solution in original post

5 Replies 5

bfl1
Level 1
Level 1

First, if you want to only allow SMTP for one address and not the others, then you can add one line to your access list:

ACCESS-LIST 101 PERMIT TCP host exchange_ip any eq smtp

access-list 101 deny tcp any any eq smtp

access-list 101 permit tcp any host x.x.x.251 object-group terminal

access-list 101 permit tcp any host x.x.x.214 object-group radmin

access-list 101 permit tcp any host x.x.x.207 object-group email

access-list 101 permit tcp any host x.x.x.212 object-group mw1

access-list 101 permit tcp any host x.x.x.211 eq ftp

Put the permit before the "deny tcp any any eq smtp", because as soon as a match is made, it stops reading the access list.

Second: If you want one Public IP address to map to 2 different internal addresses hosting different services, try this:

pix(config)# static (inside,outside) tcp x.x.x.207 http 172.16.2.13 http

pix(config)# static (inside,outside) tcp x.x.x.207 smtp 172.16.2.14 smtp

Now, any HTTP traffic directed to x.x.x.207, will be mapped to 172.16.2.13. Likewise, any SMTP traffic directed to x.x.x.207, will be mapped to 172,.16.2.14.

Hope this helps.

Hey, thank you for your help, but users are still able to use outside smtp, when i login to pix PDM in access rules i have all my access-list 101 going from 1 to 7, but before the first rule, PDM has a no number rule (Implicit outbound rule) basically saying permit ip any any . I cant remove it nor can't find in CLI

Here's your problem:

access-group 101 in interface outside

You are binding this access list to your outside interface. This means the rules are applied to traffic coming IN to your network. The implicit ip any any rule is because you haven't bound an access list to your inside interface.

To block users from going OUT, you'll need this:

access-list GOING-OUT permit tcp host exchange_IP any eq smtp

access-list GOING-OUT deny tcp any any eq smtp

access-group GOING-OUT in interface inside

See how this access list is bound to the inside interface... it will affect traffic leaving your network. Note: Once you apply this to the inside interface it will remove the implicit permit any any.

Thank You

It worked!!!!

Great!