07-17-2009 03:26 AM - edited 03-11-2019 08:56 AM
Here is my configuration.
access-list inside_access_in extended permit tcp host Mailint any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip object-group internal-net any
access-group inside_access_in in interface inside
This is in order to prevent eventual spammers from my LAN.
Mailint server is only allowed to send smtp traffic.
But the ACL does not work!?
I issue from my PC:
telnet mail.yahoo.com 25
And I receive reply from yahoo server.
Any suggestions? What is wrong?
07-17-2009 04:25 AM
post the output from "show access-list inside_access_in"
07-17-2009 04:47 AM
Here it is
access-list inside_access_in; 9 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit tcp host Mailint any eq smtp (hitcnt=0) 0x1fa6687c
access-list inside_access_in line 2 extended deny tcp any any eq smtp (hitcnt=18) 0xe3de3aa9
access-list inside_access_in line 3 extended permit ip object-group internal-net any 0x0ada2aa5
access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=19175) 0x12ee6ada
access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=16565) 0xeba73452
access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=3270) 0x3ec5fae7
access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=2723) 0x35616727
access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=10427) 0x69b4b8b6
access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=0) 0x4964f9f7
access-list inside_access_in line 3 extended permit ip **** 255.255.255.0 any (hitcnt=0) 0xfef1f420
07-17-2009 05:58 AM
So you are blocking line..
access-list inside_access_in line 2 extended deny tcp any any eq smtp (hitcnt=18)
07-18-2009 08:38 PM
Yes and it is not working.
SMTP traffic is passing trough.
Could somebody try this too.
07-19-2009 12:41 AM
How do you know this is still working?
07-19-2009 02:20 AM
Do you have a static NAT for your PC. Try to check from other Pcs which are natted.
07-19-2009 04:19 AM
Are you positive you are coming from the inside and are not coming in to the ASA from a different interface? If you are sure you are coming from the inside, can you add this to your ACL to test?
access-list inside_access_in line 2 deny tcp host
Then test again and look at the counters to see if you are able to get out. If you are, are you sure there is not a device before the ASA that is translating your address?
07-21-2009 02:39 AM
I was wrong. ACL is working.
Confusion was caused by TCP options.
(Configuration-firewall-advanced-TCP options for inside interface)
I unchecked "Send reset reply for denied outbound TCP packets"
and there is no more "replies" from yahoo server.
Sorry, but I was really confused by this.
Thanks for your replies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide