Blocking port 25 on Cisco ASA 5505

Unanswered Question
Jun 9th, 2009
User Badges:

I have a Cisco ASA 5505 in place at a client, and I've got a PC on the network infected with a spambot sending spam. I need to block port 25 to all PC's on the network EXCEPT for the Exchange server. I created an outbound ACL rule on the outside interface to first permit SMTP traffic for my Exchange server and then created a rule to deny SMTP traffic from source ALL. This is not working, as all systems are still able to use port 25 regardless of the order the rules are listed. Am I missing something? Please help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 06/09/2009 - 19:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Could you clarify what it is you are trying to do ie.


"need to block port 25 to all PC's on the network EXCEPT for the Exchange server."


This suggests you want to block any outside device connecting to your internal PC's on port 25


"I created an outbound ACL rule on the outside interface to first permit SMTP traffic for my Exchange server and then created a rule to deny SMTP traffic from source ALL."


This suggests you want to stop all your internal PC's connecting to outside devices on port 25.


Which one are you trying to do ?


Jon

westernmotor Wed, 06/10/2009 - 05:35
User Badges:

I am trying to stop all internal PC's from connecting to outside devices on port 25. Except for the exchange server. There is a bot on one of the PC on the network, and I don't know which one. I want to deny access to the port outbound for the desktops, and leave it open for the exchange server only.

This is an example of what you will have to do. I am using this for one of my customers when I ran into the same problem


access-list 101 extended permit tcp host 192.168.240.10 any eq smtp

access-list 101 extended deny tcp 192.168.240.0 255.255.255.0 any eq smtp

access-list 101 extended permit ip any any

access-group 101 in interface inside


Actions

This Discussion