pix 506e - easy question

jjacobson · ‎01-04-2007

I'm implementing a Postini (anti-spam) solution for a small company. Currently my pix allows smtp traffic from anywhere on the outside. How do I configure it to only accept smtp traffic from an IP range of 64.18.0.0 to 64.18.15.255/20 (this is Postini's network range)? How do I implement this, thank you in advance.

bthibode · ‎01-04-2007

Ok, I am assuming that you are using access-lists not conduits and you have more than one public IP address from your ISP (not port forwarding on a single public ip).

Lets say your public IP address you're using for your mail server is 65.12.32.2 and the inside (real) IP address for your mail server is 192.168.1.2. In the senerio I just described, you have something like this in your config:

static (inside,outside) 65.12.32.2 192.168.1.2 netmask 255.255.255.255

access-list outside_in permit tcp any host 65.12.32.2 eq 25

access-group outside_in in interface outside

In this case we are allowing smtp (tcp 25) from anywhere on the internet to 65.12.32.2 (our mail server's public IP address). You stated that you only want to allow mail traffic from 64.18.0.0/20. All you would have to do in this case add the following access-list:

access-list outside_in permit tcp 64.18.0.0 255.255.240.0 host 65.12.32.2 eq 25

Then remove the old access-list and you're done! Your new config will have the followig entries:

static (inside,outside) 65.12.32.2 192.168.1.2 netmask 255.255.255.255

access-list outside_in permit tcp 64.18.0.0 255.255.240.0 host 65.12.32.2 eq 25

access-group outside_in in interface outside

Please let me know if this helps

Bryan