Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
1
Replies

PIX 501 Security Issue

gv
Level 1
Level 1

‎12-13-2006 05:44 AM - edited ‎03-11-2019 02:08 AM

I have a possible spam relay from a PC in my internal network.

I have tried to lock down the PIX firewall so only port 25 traffic would be allowed out from the exchange server.

My attempt blocked both incoming and out going legitimate mail.

Could some one assist me with the correct parameters.

Second requests. Is there a way to log traffice from all internal work stations to try and pin point the relay.

Thank you

In advance

Labels:
0 Helpful
1 Reply 1

a.kiprawih
Level 7
Level 7

‎12-13-2006 07:03 AM

To specifically allow only TCP 25 traffic to go in/out of your internal network (fr email server), make sure your access-list (ACL) specify this correctly.

From inside to outside, you can have at least the following ACL entry (example):

access-list inside permit tcp host 10.10.10.10 any eq 25

access-group inside in interface inside

Optionally, if you need to allow external email server to send email traffic into your internal email svr, you need to map your internal server with a public IP, and locked incoming access via acl allowing smtp 25(tcp).

access-list outside permit tcp any host 192.168.1.10 eq 25

access-group outside in interface outside

static (inside,outside) 192.168.1.10 10.10.10.10 netmask 255.255.255.255

*192.168.1.10 - public IP

*10.10.10.10 - exchange svr

BTW, have you check the exchange server anti-spam feature?

http://www.microsoft.com/technet/prodtechnol/exchange/downloads/2003/imf/default.mspx

To log all internal stations session, this is possible if they used Inside interface as gateway, and you have acl logging all permitted or a combination of permit and deny entries. Check the log entries, as well as connection status.

To check connection status, use ' sh conn' command. You may see some internal IP has multiple connections/sessions (via single of a series of ports) to multiple IPs, while some might be multiple session to single IP.

Check the port number and patterns. Some viruses/worms tend to have multiple ports in sequence and can go easily more than 20 sessions/connections attempt (we used the same approached to nail internal PCs spreading sasser virus around).

FYI, PIX has spam/mail relay protection which is enabled by default. Check the 'fixup protocol smtp 25'.

But if the spam/relay is originating from internal PC, you might need to do more. Check your firewall log (destination port number) & connections/sessions for any multiple email sessions from internal host(s) to the exchange server. You might be able to find it.

If you have good antivirus, you could also find the trojan/worms (and pc) responsible for the mess.

My 2cent opinion.

HTH

AK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card