Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Prevent smtp from all IPs except email servers

How can I configure our ASA 5510 ver. 7.2(2) to prevent all smtp traffic except from our email servers (2 of them). We want to make sure that a possible virus would not be able to spam out email and then have our IP Address blacklisted. All incoming email is directed to our Barracuda Spam filter first and then sent to our email servers. The spam filter is behind the firewall. All outgoing email will also be directed through the Barracuda in the future. Thanks.

6 REPLIES
New Member

Re: Prevent smtp from all IPs except email servers

Clarification: We want to stop all OUTGOING Smtp traffic from all ip addresses except the email servers.

Re: Prevent smtp from all IPs except email servers

In your ACL (outbound) permit the email servers and deny everything else. Assume your mail servers are 10.10.10.5 & 6.

access-list INSIDE_OUT extended permit tcp host 10.10.10.5 any eq smtp

access-list INSIDE_OUT extended permit tcp host 10.10.10.6 any eq smtp

access-list INSIDE_OUT extended deny tcp any any eq smtp

Hope that helps.

New Member

Re: Prevent smtp from all IPs except email servers

Thanks Collin, this is working.

I tried something else with horrible results.

Gary

Re: Prevent smtp from all IPs except email servers

Just remember that the order is very important. Glad to hear it's working!

New Member

Re: Prevent smtp from all IPs except email servers

Please help me understand, if these ACL's are set for outbound filtering, this would only allow these two servers to communicate with any. If I have workstations that are using pop email separate and external to these smtp servers they will be denied 100% unless I ad their host IP as well?

Re: Prevent smtp from all IPs except email servers

In the above example we are permitting the two internal mail servers to send email out via SMTP and denying the users to send directly out (prevents spamming). If you have some clients that retrieve POP3 you can allow that, but typically they send email via SMTP. You can permit this "safely". Let's say that the users POP3 incoming server is 69.222.73.10 and their outoging SMTP server is 75.50.95.73. Create an ACL that allows POP3 and allows some SMTP but blocks the rest. THe 192.168.1.0 network is your internal LAN.

access-list extended permit tcp 192.168.1.0 255.255.255.0 host 69.222.73.5 eq pop3

access-list extended permit tcp 192.168.1.0 255.255.255.0 host 75.50.95.73 eq smtp

access-list extended deny tcp 192.168.1.0 255.255.255.0 any eq smtp

Now users can get POP3 email, send email via the approved SMTP server only and are denied to any other SMTP servers.

206
Views
3
Helpful
6
Replies
CreatePlease to create content