Pix firewall

Answered Question
Apr 1st, 2008

In my Pix 515e there is an access-list entry : access-list out_acl permit tcp any host 69.67.67.100 eq smtp

( 69.67.67.100) is the public IP address of the Mail server.

do I need this ?, can somebody explain to me what this access-list is doing ?.

Why should I want any host to access my mail server through smtp ?

Thanks

I have this problem too.
0 votes

Sorry, I try to better explain:

that is the tipical configuration in order to allow your server to exchange mail directly with Internet; let's assume your mail server answers to the "MyDomain.com" domain and you want it is able to directly receive mail from Internet; you have to activate a public DNS MX record, a "public route" in order to make your mail server public.

Then, Internet knows that to deliver mail to your mail server it has to contact the public IP address of your server (that's using a private (or DMZ) IP Address.

Thanks to the mentioned acl, static and access-list, you allow the incoming traffic on port 25 (SMTP - Simple Mail Tranfer Protocol) to exchange mail with your server.

So, if you want that "Internet" can contact your email server, you need of this acl;it allows "ANY" because "any host" (anyone) can send mail to your server. If you have a smarthost in order to exchangemail, you can replace "any" with the smarthost server IP address.

I hope it can be helpfull.

Regards

Giorgio

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

This ACE permit all incoming trafic on port 25 (SMTP) from the mentioned IP address.

It's the tipical ACE if you have an active Mail server/service in your site.

Generally, it is not sufficient: you should also have a static route (like: static (inside,outside) tcp 69.67.67.100 25 192.168.1.10 25 netmask 255.255.255.255 -that is a PAT) or (static (inside,outside) 69.67.67.100 192.168.1.10 25 netmask 255.255.255.255 -that is a NAT); this assuming that you mail server is on IP 192.168.1.10, the first STATIC routes the incoming traffic on port 25 (SMTP) to your server (192.168.1.10) on the same port, the second STATIC command routes all incoming traffic on all ports on your IP 192.168.1.10.

Finally, the ACE you shown, should be also enabled with the related ACCESS-GROUP command (eg: access-group out_acl in interface outside)

I hope this helps

Regards

Correct Answer

Sorry, I try to better explain:

that is the tipical configuration in order to allow your server to exchange mail directly with Internet; let's assume your mail server answers to the "MyDomain.com" domain and you want it is able to directly receive mail from Internet; you have to activate a public DNS MX record, a "public route" in order to make your mail server public.

Then, Internet knows that to deliver mail to your mail server it has to contact the public IP address of your server (that's using a private (or DMZ) IP Address.

Thanks to the mentioned acl, static and access-list, you allow the incoming traffic on port 25 (SMTP - Simple Mail Tranfer Protocol) to exchange mail with your server.

So, if you want that "Internet" can contact your email server, you need of this acl;it allows "ANY" because "any host" (anyone) can send mail to your server. If you have a smarthost in order to exchangemail, you can replace "any" with the smarthost server IP address.

I hope it can be helpfull.

Regards

Giorgio

Actions

This Discussion