01-21-2009 02:39 PM - edited 03-11-2019 07:40 AM
Hi Folks,
This has been asked before, but I need to ensure that only one specific system is allowed to send email out of our network. Its been sometime since I've messed with ACLs and I recall that you cna have only one ACL list per interface.
I have the following already on our primary PIX:
access-group acl_outside_in in interface outside
access-group acl_outside_in in interface inside
access-group acl_outside_in in interface control
access-group acl_outside_in in interface DMZ
I'd like to add:
access-list acl_out permit tcp host emailserver any eq 25
access-list acl_out deny tcp any any eq 25
So I suspect I need to setup...
access-group acl_inside_out out interface inside
Am I on the right track?
Thanks,
~Steve
Solved! Go to Solution.
01-21-2009 03:31 PM
Steve
You should be able to insert lines on a pix access-list. Do a "sh access-list acl_inside_in" and it should give you you line numbers and then you can just add your lines with the line number where you want to insert the lines.
Your acl looks fine to me.
Jon
01-21-2009 02:44 PM
Steve
You can have one ACL per direction per interface on pix v7.x software an above.
If you are restricting e-mail from one internal host to the outside why not just add it to acl_outside_in acl ?
Jon
01-21-2009 03:27 PM
Jon,
Yup, just reviewed that very issue. Isn't the PIX we have to removed the ACL then re-add it you can't simply add the necessary lines otherwise you get the deny any any by default correct?
This is what I was thinking of...
access-list acl_inside_in permit tcp host emailserver any eq smtp
access-list acl_inside_in deny tcp any any eq smtp
access-list acl_inside permit ip any any
~Steve
01-21-2009 03:31 PM
Steve
You should be able to insert lines on a pix access-list. Do a "sh access-list acl_inside_in" and it should give you you line numbers and then you can just add your lines with the line number where you want to insert the lines.
Your acl looks fine to me.
Jon
01-21-2009 03:33 PM
Many thanks. I'll give 'er a try.
~Steve
01-21-2009 03:35 PM
All I have there is an access-list acl_inside_in line 1 permit any any.
I don't think we have that access-group applied to an interface.
~Steve
01-21-2009 03:38 PM
Okay then, just create a new acl using what you had in your previous post and then apply it. Make sure you have the "permit ip any any" at the end though :-)
Jon
01-22-2009 09:22 AM
Jon,
We're running v 6.3 here and I don't see/understand how to incert these statements.
~Steve
01-22-2009 10:00 AM
Steve
Apologies, i thought because you hadn't applied the acl to an interface you were just going to create a new access-list ?
If not taking your previous example, you have -
access-list acl_inside_in line 1 permit any any
so
pix(config)# access-list acl_inside_in line 1 deny tcp any any eq smtp
pix(config)# access-list acl_inside_in line 1 permit tcp host emailserver any eq smtp
then a "sh run access-list acl_inside should show
access-list acl_inside_in line 1 permit tcp host emailserver any eq smtp
access-list acl_inside_in line 2 deny tcp any any eq smtp
access-list acl_inside_in line 3 permit any any
Jon
01-22-2009 10:04 AM
Jon,
Most kind of you. Many thanks! This should do the trick. Hopefully we don't see any unanticipated effects, but we can remove this list quickly if there are any problems.
~Steve
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: