Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking on PIX

Hi

We have some issues with emails and the domain gets blacklisted. I am thinking if there is some kind of virus on some computers which may be using port 25 to send smtp traffic. I was wondering if there is any way to configure the PIX for it to accept smtp traffic only from the mail servers and block any kind of smtp traffic from individual PCs. This is all on the LAN. I thought of creating ACLs on inside interface but I may have to create multiple ACLs and hard to manage.

And is there any way on the PIX to see the host IP or MAC which may be sending lot of SMTP traffic?

Please advise

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Blocking on PIX

You can use ACL to restrict only your e-mail server to sent traffic destined to tcp port 25 and block every one else.

access-l inside-acl permit tcp host x.x.x.x any eq 25

access-l inside-acl deny tcp any any eq 25

access-l inside-acl permit ip any any

The above acl will be applied IN on the inside interface where x.x.x.x is the private/inside IP address of your e-mail server.

Same thing can be done on the outside acl.

access-l outside-acl permit tcp any host y.y.y.y eq 25

meaning only y.y.y.y which is the translated/public address of the e-mail server.

You cannot use MAC address to block on a PIX/ASA/FWSM.

-KS

2 REPLIES
Cisco Employee

Re: Blocking on PIX

You can use ACL to restrict only your e-mail server to sent traffic destined to tcp port 25 and block every one else.

access-l inside-acl permit tcp host x.x.x.x any eq 25

access-l inside-acl deny tcp any any eq 25

access-l inside-acl permit ip any any

The above acl will be applied IN on the inside interface where x.x.x.x is the private/inside IP address of your e-mail server.

Same thing can be done on the outside acl.

access-l outside-acl permit tcp any host y.y.y.y eq 25

meaning only y.y.y.y which is the translated/public address of the e-mail server.

You cannot use MAC address to block on a PIX/ASA/FWSM.

-KS

New Member

Re: Blocking on PIX

Thank you

169
Views
0
Helpful
2
Replies