01-11-2006 12:15 PM - edited 03-09-2019 01:35 PM
We have a Cisco pix 515e that was installed about a year ago by vendor. They configured it and we have had no problems with it, love it.
SPAM got to 20K per day and we decided to move Antivirus and Spam filtering offsite to Gateway Defender, let them deal with it. Changed MX records and SPAM dropped way down. Gateway Defender support says I can configure the PIX to only accept SMTP traffic from thier servers and further reduce SPAM. They said tell the PIX to let in SMTP traffic from 207.180.209.0/24 and 209.153.138.0/24. I understand what they are saying but i have no idea what I'm doing so I need some serious help with this. I was able to figure out how to get into the PIX and look at the setup but that's about it. I would have called the company that installed it but they got blown away by Katrina.
Any help would be greatly appreciated.
01-11-2006 05:17 PM
Hello,
posting your current config (except security relevant data) would help to understand what can/should be done.
Regards
Martin
Maybe reading "Configuring the PIX Firewall with Mail Server Access on Inside Network"
helps you. In the example every internet mail server is allowed to connect to the internal server. You can modify this to achieve your goal by configuring
access-list smtp permit tcp 207.180.209.0 0.0.0.255 host 1.2.3.4 eq smtp
access-list smtp permit tcp 209.153.138.0 0.0.0.255 host 1.2.3.4 eq smtp
Replace 1.2.3.4 with your mail servers IP address.
Hope this helps! Please rate all posts
01-12-2006 03:11 AM
just a bit add-on.
with the current config, there should be:
access-list inbound permit tcp any host
to permit traffic from the vendor servers only:
no access-list inbound permit tcp any host
access-list inbound permit tcp host
access-list inbound permit tcp host
...
access-list inbound permit tcp host
01-12-2006 08:25 AM
Here's the current configuration (just the important stuff)
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100basetx
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
hostname xxxxxxxx
domain-name xxxxxxxxxx
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxx.xxx.xxx.20 outside
name yyy.yyy.yyy.20 inside
access-list compiled
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit gre any host xxx.xxx.xxx.23
access-list 100 permit tcp any host xxx.xxx.xxx.23 eq pptp
access-list 100 permit tcp any host xxx.xxx.xxx.24 eq 3389
access-list 100 permit tcp any host xxx.xxx.xxx.22 eq smtp
pager lines 24
logging on
logging queue 1024
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside outside 255.255.255.240
ip address inside inside 255.255.0.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip verify reverse-path interface outside
ip audit name Outside_attack attack action alarm drop
ip audit interface outside Outside_attack
ip audit info action alarm
ip audit attack action alarm drop
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
static (inside,outside) xxx.xxx.xxx.24 yyy.yyy.yyy.24 dns netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.22 yyy.yyy.yyy.22 dns netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.23 yyy.yyy.yyy.23 dns netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.21 yyy.yyy.yyy.21 dns netmask 255.255.255.255 0 0
access-group 100 in interface outside
When I attempted to change the configuration as suggested (access-list 100 permit tcp 207.180.209.0 0.0.0.255 host 69.58.65.22 eq smtp) I recieved an error message that reads: "ERROR: Source address,mask doesn't pair"
Sorry to be a pain in the a$$.
Does everything look okay with this configuration?
Thanks again for the help.
01-12-2006 11:37 AM
your changes will go something like this:
no access-list 100 permit tcp any host 69.58.65.22 eq smtp
access-list 100 permit tcp 207.180.209.0 255.255.255.0 host 69.58.65.22 eq smtp
access-list 100 permit tcp 209.153.138.0 255.255.255.0 host 69.58.65.22 eq smtp
hope this helps.
01-12-2006 11:57 AM
That one got it!
Thanks for all the help and education.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide