11-20-2008 06:43 AM - edited 03-11-2019 07:15 AM
How can I configure our ASA 5510 ver. 7.2(2) to prevent all smtp traffic except from our email servers (2 of them). We want to make sure that a possible virus would not be able to spam out email and then have our IP Address blacklisted. All incoming email is directed to our Barracuda Spam filter first and then sent to our email servers. The spam filter is behind the firewall. All outgoing email will also be directed through the Barracuda in the future. Thanks.
11-20-2008 06:49 AM
Clarification: We want to stop all OUTGOING Smtp traffic from all ip addresses except the email servers.
11-20-2008 06:49 AM
In your ACL (outbound) permit the email servers and deny everything else. Assume your mail servers are 10.10.10.5 & 6.
access-list INSIDE_OUT extended permit tcp host 10.10.10.5 any eq smtp
access-list INSIDE_OUT extended permit tcp host 10.10.10.6 any eq smtp
access-list INSIDE_OUT extended deny tcp any any eq smtp
Hope that helps.
11-20-2008 07:38 AM
Thanks Collin, this is working.
I tried something else with horrible results.
Gary
11-20-2008 07:41 AM
Just remember that the order is very important. Glad to hear it's working!
06-18-2009 10:34 AM
Please help me understand, if these ACL's are set for outbound filtering, this would only allow these two servers to communicate with any. If I have workstations that are using pop email separate and external to these smtp servers they will be denied 100% unless I ad their host IP as well?
06-18-2009 10:44 AM
In the above example we are permitting the two internal mail servers to send email out via SMTP and denying the users to send directly out (prevents spamming). If you have some clients that retrieve POP3 you can allow that, but typically they send email via SMTP. You can permit this "safely". Let's say that the users POP3 incoming server is 69.222.73.10 and their outoging SMTP server is 75.50.95.73. Create an ACL that allows POP3 and allows some SMTP but blocks the rest. THe 192.168.1.0 network is your internal LAN.
access-list extended permit tcp 192.168.1.0 255.255.255.0 host 69.222.73.5 eq pop3
access-list extended permit tcp 192.168.1.0 255.255.255.0 host 75.50.95.73 eq smtp
access-list extended deny tcp 192.168.1.0 255.255.255.0 any eq smtp
Now users can get POP3 email, send email via the approved SMTP server only and are denied to any other SMTP servers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide