05-20-2009 04:32 AM - edited 03-11-2019 08:34 AM
Hi all,
I'm trying to block smtp form all hosts, except for mail server. I made this configuration:
access-list nooutmail extended permit tcp host 192.168.0.240 any
access-list nooutmail extended deny tcp any any eq smtp
access-list nooutmail extended permit ip any any
access-group nooutmail in interface "interfacename"
what I made wrong?
05-20-2009 06:14 AM
If you're wanting to allow one host smtp traffic, you should be able to do:
access-list nooutmail extended permit tcp host 192.168.0.240 any eq 25
access-list nooutmail extended deny tcp any any eq smtp
access-list nooutmail extended permit ip any any
access-group nooutmail in interface inside
I'm assuming that you're wanting to allow smtp traffic out from the 192.168.0.240 server. Also, what's the actual problem that you're seeing?
HTH,
John
05-21-2009 11:54 PM
This is my scenario
I have Cisco ASA 5510 with 5 subnets, and in one subnet is mail server. When I configure on every interface set in ACL like in example, i was able to block all smtp except smtp from mail server which is ok.
What I really want is to set one outbound ACL on outside interface instead of 5 inbound ACL on insides interfaces.
05-23-2009 06:41 PM
Hi,
Try this:
Apply the access-list only to the outside interface, although it is not common:
access-group nooutmail out interface outside
ASA/Pix version 7.0 and later support this, but rarely seen in real work.
fuming
05-24-2009 10:30 AM
If this access list is applied outbound, keep in mind that you will need to use the "post-nat'd" (public) source address. The outbound acl matches the traffic as it egress the interface (after the nat or static nat has occurred).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: