cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2679
Views
5
Helpful
4
Replies

Block smtp traffic except for mail server

bojan.vujic
Level 1
Level 1

Hi all,

I'm trying to block smtp form all hosts, except for mail server. I made this configuration:

access-list nooutmail extended permit tcp host 192.168.0.240 any

access-list nooutmail extended deny tcp any any eq smtp

access-list nooutmail extended permit ip any any

access-group nooutmail in interface "interfacename"

what I made wrong?

4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

If you're wanting to allow one host smtp traffic, you should be able to do:

access-list nooutmail extended permit tcp host 192.168.0.240 any eq 25

access-list nooutmail extended deny tcp any any eq smtp

access-list nooutmail extended permit ip any any

access-group nooutmail in interface inside

I'm assuming that you're wanting to allow smtp traffic out from the 192.168.0.240 server. Also, what's the actual problem that you're seeing?

HTH,

John

HTH, John *** Please rate all useful posts ***

This is my scenario

I have Cisco ASA 5510 with 5 subnets, and in one subnet is mail server. When I configure on every interface set in ACL like in example, i was able to block all smtp except smtp from mail server which is ok.

What I really want is to set one outbound ACL on outside interface instead of 5 inbound ACL on insides interfaces.

fmjiang1966
Level 1
Level 1

Hi,

Try this:

Apply the access-list only to the outside interface, although it is not common:

access-group nooutmail out interface outside

ASA/Pix version 7.0 and later support this, but rarely seen in real work.

fuming

If this access list is applied outbound, keep in mind that you will need to use the "post-nat'd" (public) source address. The outbound acl matches the traffic as it egress the interface (after the nat or static nat has occurred).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: