Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Block smtp traffic except for mail server

Hi all,

I'm trying to block smtp form all hosts, except for mail server. I made this configuration:

access-list nooutmail extended permit tcp host 192.168.0.240 any

access-list nooutmail extended deny tcp any any eq smtp

access-list nooutmail extended permit ip any any

access-group nooutmail in interface "interfacename"

what I made wrong?

4 REPLIES

Re: Block smtp traffic except for mail server

If you're wanting to allow one host smtp traffic, you should be able to do:

access-list nooutmail extended permit tcp host 192.168.0.240 any eq 25

access-list nooutmail extended deny tcp any any eq smtp

access-list nooutmail extended permit ip any any

access-group nooutmail in interface inside

I'm assuming that you're wanting to allow smtp traffic out from the 192.168.0.240 server. Also, what's the actual problem that you're seeing?

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Block smtp traffic except for mail server

This is my scenario

I have Cisco ASA 5510 with 5 subnets, and in one subnet is mail server. When I configure on every interface set in ACL like in example, i was able to block all smtp except smtp from mail server which is ok.

What I really want is to set one outbound ACL on outside interface instead of 5 inbound ACL on insides interfaces.

New Member

Re: Block smtp traffic except for mail server

Hi,

Try this:

Apply the access-list only to the outside interface, although it is not common:

access-group nooutmail out interface outside

ASA/Pix version 7.0 and later support this, but rarely seen in real work.

fuming

New Member

Re: Block smtp traffic except for mail server

If this access list is applied outbound, keep in mind that you will need to use the "post-nat'd" (public) source address. The outbound acl matches the traffic as it egress the interface (after the nat or static nat has occurred).

1714
Views
5
Helpful
4
Replies
CreatePlease to create content