cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
589
Views
0
Helpful
9
Replies

Restricting outbound email traffic on PIX 515

smiths@prpa.org
Level 1
Level 1

Hi Folks,

This has been asked before, but I need to ensure that only one specific system is allowed to send email out of our network. Its been sometime since I've messed with ACLs and I recall that you cna have only one ACL list per interface.

I have the following already on our primary PIX:

access-group acl_outside_in in interface outside

access-group acl_outside_in in interface inside

access-group acl_outside_in in interface control

access-group acl_outside_in in interface DMZ

I'd like to add:

access-list acl_out permit tcp host emailserver any eq 25

access-list acl_out deny tcp any any eq 25

So I suspect I need to setup...

access-group acl_inside_out out interface inside

Am I on the right track?

Thanks,

~Steve

1 Accepted Solution

Accepted Solutions

Steve

You should be able to insert lines on a pix access-list. Do a "sh access-list acl_inside_in" and it should give you you line numbers and then you can just add your lines with the line number where you want to insert the lines.

Your acl looks fine to me.

Jon

View solution in original post

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

Steve

You can have one ACL per direction per interface on pix v7.x software an above.

If you are restricting e-mail from one internal host to the outside why not just add it to acl_outside_in acl ?

Jon

Jon,

Yup, just reviewed that very issue. Isn't the PIX we have to removed the ACL then re-add it you can't simply add the necessary lines otherwise you get the deny any any by default correct?

This is what I was thinking of...

access-list acl_inside_in permit tcp host emailserver any eq smtp

access-list acl_inside_in deny tcp any any eq smtp

access-list acl_inside permit ip any any

~Steve

Steve

You should be able to insert lines on a pix access-list. Do a "sh access-list acl_inside_in" and it should give you you line numbers and then you can just add your lines with the line number where you want to insert the lines.

Your acl looks fine to me.

Jon

Many thanks. I'll give 'er a try.

~Steve

All I have there is an access-list acl_inside_in line 1 permit any any.

I don't think we have that access-group applied to an interface.

~Steve

Okay then, just create a new acl using what you had in your previous post and then apply it. Make sure you have the "permit ip any any" at the end though :-)

Jon

Jon,

We're running v 6.3 here and I don't see/understand how to incert these statements.

~Steve

Steve

Apologies, i thought because you hadn't applied the acl to an interface you were just going to create a new access-list ?

If not taking your previous example, you have -

access-list acl_inside_in line 1 permit any any

so

pix(config)# access-list acl_inside_in line 1 deny tcp any any eq smtp

pix(config)# access-list acl_inside_in line 1 permit tcp host emailserver any eq smtp

then a "sh run access-list acl_inside should show

access-list acl_inside_in line 1 permit tcp host emailserver any eq smtp

access-list acl_inside_in line 2 deny tcp any any eq smtp

access-list acl_inside_in line 3 permit any any

Jon

Jon,

Most kind of you. Many thanks! This should do the trick. Hopefully we don't see any unanticipated effects, but we can remove this list quickly if there are any problems.

~Steve

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: