Re: restrict SMTP traffic

afish6969 · ‎01-11-2006

We have a Cisco pix 515e that was installed about a year ago by vendor. They configured it and we have had no problems with it, love it.

SPAM got to 20K per day and we decided to move Antivirus and Spam filtering offsite to Gateway Defender, let them deal with it. Changed MX records and SPAM dropped way down. Gateway Defender support says I can configure the PIX to only accept SMTP traffic from thier servers and further reduce SPAM. They said tell the PIX to let in SMTP traffic from 207.180.209.0/24 and 209.153.138.0/24. I understand what they are saying but i have no idea what I'm doing so I need some serious help with this. I was able to figure out how to get into the PIX and look at the setup but that's about it. I would have called the company that installed it but they got blown away by Katrina.

Any help would be greatly appreciated.

mheusinger · ‎01-11-2006

Hello,

posting your current config (except security relevant data) would help to understand what can/should be done.

Regards

Martin

Maybe reading "Configuring the PIX Firewall with Mail Server Access on Inside Network"

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

helps you. In the example every internet mail server is allowed to connect to the internal server. You can modify this to achieve your goal by configuring

access-list smtp permit tcp 207.180.209.0 0.0.0.255 host 1.2.3.4 eq smtp

access-list smtp permit tcp 209.153.138.0 0.0.0.255 host 1.2.3.4 eq smtp

Replace 1.2.3.4 with your mail servers IP address.

Hope this helps! Please rate all posts

jackko · ‎01-12-2006

just a bit add-on.

with the current config, there should be:

access-list inbound permit tcp any host eq smtp

to permit traffic from the vendor servers only:

no access-list inbound permit tcp any host eq smtp

access-list inbound permit tcp host host eq smtp

...

access-list inbound permit tcp host host eq smtp

afish6969 · ‎01-12-2006

Here's the current configuration (just the important stuff)

PIX Version 6.3(3)

interface ethernet0 10baset

interface ethernet1 100basetx

interface ethernet2 auto shutdown

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

hostname xxxxxxxx

domain-name xxxxxxxxxx

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name xxx.xxx.xxx.20 outside

name yyy.yyy.yyy.20 inside

access-list compiled

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit gre any host xxx.xxx.xxx.23

access-list 100 permit tcp any host xxx.xxx.xxx.23 eq pptp

access-list 100 permit tcp any host xxx.xxx.xxx.24 eq 3389

access-list 100 permit tcp any host xxx.xxx.xxx.22 eq smtp

pager lines 24

logging on

logging queue 1024

mtu outside 1500

mtu inside 1500

mtu intf2 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

ip address outside outside 255.255.255.240

ip address inside inside 255.255.0.0

no ip address intf2

no ip address intf3

no ip address intf4

no ip address intf5

ip verify reverse-path interface outside

ip audit name Outside_attack attack action alarm drop

ip audit interface outside Outside_attack

ip audit info action alarm

ip audit attack action alarm drop

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address intf2

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0

static (inside,outside) xxx.xxx.xxx.24 yyy.yyy.yyy.24 dns netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.22 yyy.yyy.yyy.22 dns netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.23 yyy.yyy.yyy.23 dns netmask 255.255.255.255 0 0

static (inside,outside) xxx.xxx.xxx.21 yyy.yyy.yyy.21 dns netmask 255.255.255.255 0 0

access-group 100 in interface outside

When I attempted to change the configuration as suggested (access-list 100 permit tcp 207.180.209.0 0.0.0.255 host 69.58.65.22 eq smtp) I recieved an error message that reads: "ERROR: Source address,mask doesn't pair"

Sorry to be a pain in the a$$.

Does everything look okay with this configuration?

Thanks again for the help.

srue · ‎01-12-2006

your changes will go something like this:

no access-list 100 permit tcp any host 69.58.65.22 eq smtp

access-list 100 permit tcp 207.180.209.0 255.255.255.0 host 69.58.65.22 eq smtp

access-list 100 permit tcp 209.153.138.0 255.255.255.0 host 69.58.65.22 eq smtp

hope this helps.

afish6969 · ‎01-12-2006

That one got it!

Thanks for all the help and education.