Allow only port 25 outgoing from exchange

Unanswered Question
Jan 7th, 2008

Hi, we have an ASA5510 in our network. I am trying to block all workstations from connection on port 25 for sendin mail out and to only allow exchange to send out.. How can I achieve this. I can send the config if someone could help me out here..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
adam.sellhorn Mon, 01/07/2008 - 09:51

You will need to create an access-list for your inside interface:

access-list acl_inside extended permit tcp host any eq smtp

access-list acl_inside extended deny tcp any any eq smtp

access-list acl_inside extended permit ip any any

access-group acl_inside in interface inside

I'm assuming your inside interface is named "inside". If it is something different then of course you will need to change that in your access-group command.

srue Mon, 01/07/2008 - 10:05

you're better off applying that ACL outbound on your outside interface. This way, it will not only stop hosts on your inside network, but also your DMZ(s) if you have any of those configured.

kingdomhotels Mon, 01/07/2008 - 10:18

Hi,

Ok here is the config attached please tell me the best way as i have an exchange in the dmz but this is configured for incoming only outgoing goes to the backend exchange and from there straight out of the network..

Attachment: 
adam.sellhorn Mon, 01/07/2008 - 10:31

srue has a good point.

I would follow his advice just create an access-list for your OUTSIDE interface that is outbound:

access-list acl_OUTSIDE_out extended permit tcp host any eq smtp

access-list acl_OUTSIDE_out extended deny tcp any any eq smtp

access-list acl_OUTSIDE_out extended permit ip any any

access-group acl_OUTSIDE_out out interface OUTSIDE

kingdomhotels Mon, 01/07/2008 - 21:43

Hi I have tried the commands provided but seems to stop mail coming into the exchange server. The commands I placed are following..

access-list acl_OUTSIDE extended permit tcp host 172.16.1.10 any eq smtp

access-list acl_OUTSIDE extended deny tcp any any eq smtp

no access-list acl_OUTSIDE extended permit tcp any host 80.227.171.243 eq smtp

Here is the current access list that allows all pc's on the network to send out on port 25 which i want to norrow down to only allowing the exchange server.. Internal exchange address is 172.16.1.10..

access-list acl_OUTSIDE extended permit esp any host 80.227.171.242

access-list acl_OUTSIDE extended permit udp any host 80.227.171.242 eq isakmp

access-list acl_OUTSIDE extended permit udp any host 80.227.171.242 eq 4500

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.243 eq ftp

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.243 eq https

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.243 eq www

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.244 eq ftp

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.245 eq https

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.243 eq 6001

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.243 eq 6002

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.243 eq 6004

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.243 eq smtp

access-list acl_INSIDE extended permit icmp any any

access-list acl_INSIDE extended permit ip any any

access-list acl_DMZ extended permit ip host 10.0.0.2 any

access-list acl_DMZ extended permit ip host 10.0.0.3 any

access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list NONAT extended permit ip 172.16.100.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.15.1.0 255.255.255.0

access-list OUTSIDE_cryptomap_20 extended permit ip 172.16.1.0 255.255.255.0 172.15.1.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu OUTSIDE 1500

mtu INSIDE 1500

mtu DMZ 1500

mtu management 1500

ip local pool VPN-POOL 172.16.20.1-172.16.20.50 mask 255.255.255.0

no failover

asdm image disk0:/asdm512.bin

no asdm history enable

arp timeout 14400

nat-control

global (OUTSIDE) 1 interface

global (DMZ) 1 interface

nat (OUTSIDE) 1 172.16.20.0 255.255.255.0

nat (INSIDE) 0 access-list NONAT

nat (INSIDE) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 10.0.0.0 255.255.255.0

static (DMZ,OUTSIDE) tcp 80.227.171.243 smtp 10.0.0.3 smtp netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 80.227.171.243 https 172.16.1.10 https netmask 255.255.255.255

static (DMZ,OUTSIDE) tcp 80.227.171.243 www 10.0.0.3 www netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 80.227.171.244 ftp 172.16.1.20 ftp netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 80.227.171.243 6001 172.16.1.10 6001 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 80.227.171.243 6002 172.16.1.10 6002 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 80.227.171.243 6004 172.16.1.10 6004 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 80.227.171.246 https 172.16.1.15 https netmask 255.255.255.255

static (INSIDE,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-group acl_OUTSIDE in interface OUTSIDE

access-group acl_INSIDE in interface INSIDE

access-group acl_DMZ in interface DMZ

adam.sellhorn Tue, 01/08/2008 - 07:49

You don't want to get rid of the following rule as it allows email inbound to your server at 10.0.0.3 from the Internet:

access-list acl_OUTSIDE extended permit tcp any host 80.227.171.243 eq smtp

Also the outbound SMTP restriction should be in it's own ACL that is applied to the OUTSIDE interface outbound. Like so:

access-list acl_outbound extended permit tcp host 172.16.1.10 any eq smtp

access-list acl_outbound extended deny tcp any any eq smtp

access-list acl_outbound extended permit ip any any

access-group acl_outbound out interface OUTSIDE

The following commands are not necessary:

access-list acl_OUTSIDE extended permit tcp host 172.16.1.10 any eq smtp

access-list acl_OUTSIDE extended deny tcp any any eq smtp

because they applied inbound to the OUTSIDE interface. You should not be receiving traffic from 172.16.1.10 from your OUTSIDE interface.

Hope this helps.

kingdomhotels Tue, 01/08/2008 - 08:21

Hi,

As the access-group is different how do i now bound that to an interface as I tried to create this group and I could not

KHI-ASA(config)# access-group acl_outbound out interface OUTSIDE

ERROR: access-list does not exist

adam.sellhorn Tue, 01/08/2008 - 08:33

You will have to create the access-list "acl_outbound", or whatever you decide to name it, first. Then you can bind it to your Outside interface.

access-list permit tcp host any eq smtp

access-list deny tcp any any eq smtp

access-list permit ip any any

access-group out interface OUTSIDE

kingdomhotels Tue, 01/08/2008 - 08:43

I have managed to create the access-group but applied now and the mail can come in to the network but it is not going out of the network..

adam.sellhorn Tue, 01/08/2008 - 08:54

Does your Exchange server push email to 10.0.0.3 to be relayed outbound? I believe right now you are allowing only your Exchange server to send email outside your network. It may need to change so that 10.0.0.3 is allowed outbound smtp traffic.

kingdomhotels Tue, 01/08/2008 - 09:02

No the exchang 10.0.0.3 does not relay out its in the DMZ so it only for mail coming in.. the backend exchange 172.16.1.10 sends directly out of the network..

adam.sellhorn Tue, 01/08/2008 - 09:12

Try setting up logging on your ASA for the outbound acl:

access-list deny ip any any log

logging buffered

then try and send some email and watch the log by using the "show log" command. This might tell us why email is not going out anymore.

kingdomhotels Wed, 01/09/2008 - 02:25

Hi,

I will make the changes as per your advice and description, as the firewall is a stateful I need to know the access lists below would be in the correct order for the exercize..

Also refering to the exhange address I am presumming we are talking about the public not the internal as that would be useless am i right?

access-list acl_OUTSIDE extended permit esp any host 80.x.x.242

access-list acl_OUTSIDE extended permit udp any host 80.x.x.242 eq isakmp

access-list acl_OUTSIDE extended permit udp any host 80.x.x.242 eq 4500

access-list acl_OUTSIDE extended permit tcp any host 80.x.x.243 eq ftp

access-list acl_OUTSIDE extended permit tcp any host 80.x.x.243 eq https

access-list acl_OUTSIDE extended permit tcp any host 80.x.x.243 eq www

access-list acl_OUTSIDE extended permit tcp any host 80.x.x.244 eq ftp

access-list acl_OUTSIDE extended permit tcp any host 80.x.x.245 eq https

access-list acl_OUTSIDE extended permit tcp any host 80.x.x.243 eq 6001

access-list acl_OUTSIDE extended permit tcp any host 80.x.x.243 eq 6002

access-list acl_OUTSIDE extended permit tcp any host 80.x.x.243 eq 6004

access-list acl_OUTSIDE extended permit tcp any host 80.x.x.243 eq smtp

access-list acl_INSIDE extended permit tcp host 80.x.x.243 any eq smtp

access-list acl_INSIDE extended deny tcp any any eq smtp

access-list acl_INSIDE extended permit icmp any any

access-list acl_INSIDE extended permit ip any any

access-list acl_DMZ extended permit ip host 10.0.0.2 any

access-list acl_DMZ extended permit ip host 10.0.0.3 any

access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list NONAT extended permit ip 172.16.100.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.15.1.0 255.255.255.0

access-list OUTSIDE_cryptomap_20 extended permit ip 172.16.1.0 255.255.255.0 172.15.1.0 255.255.255.0

access-group acl_OUTSIDE in interface OUTSIDE

access-group acl_INSIDE in interface INSIDE

access-group acl_DMZ in interface DMZ

any thanks for your help on this..

kingdomhotels Wed, 01/09/2008 - 04:43

Hi,

I have finally worked out the placing of the lines and I have placed the following lines but still any desktop on our network can telnet to port 25 in the public world.. The concept here is not to allow any desktop other than the exchange server itself.. This is to stop and spyware that may have an smtp engine on their machine from sending out of our public address..

access-list acl_INSIDE line 1 extended deny tcp any any eq 25

access-list acl_INSIDE line 1 extended permit tcp host any eq 25

adam.sellhorn Wed, 01/09/2008 - 06:33

I'm sure we are just missing something simple. Would it be possible to post your ASA configuration?

Actions

This Discussion