Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Restricting outbound email traffic on PIX 515

Hi Folks,

This has been asked before, but I need to ensure that only one specific system is allowed to send email out of our network. Its been sometime since I've messed with ACLs and I recall that you cna have only one ACL list per interface.

I have the following already on our primary PIX:

access-group acl_outside_in in interface outside

access-group acl_outside_in in interface inside

access-group acl_outside_in in interface control

access-group acl_outside_in in interface DMZ

I'd like to add:

access-list acl_out permit tcp host emailserver any eq 25

access-list acl_out deny tcp any any eq 25

So I suspect I need to setup...

access-group acl_inside_out out interface inside

Am I on the right track?

Thanks,

~Steve

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Restricting outbound email traffic on PIX 515

Steve

You should be able to insert lines on a pix access-list. Do a "sh access-list acl_inside_in" and it should give you you line numbers and then you can just add your lines with the line number where you want to insert the lines.

Your acl looks fine to me.

Jon

9 REPLIES
Hall of Fame Super Blue

Re: Restricting outbound email traffic on PIX 515

Steve

You can have one ACL per direction per interface on pix v7.x software an above.

If you are restricting e-mail from one internal host to the outside why not just add it to acl_outside_in acl ?

Jon

New Member

Re: Restricting outbound email traffic on PIX 515

Jon,

Yup, just reviewed that very issue. Isn't the PIX we have to removed the ACL then re-add it you can't simply add the necessary lines otherwise you get the deny any any by default correct?

This is what I was thinking of...

access-list acl_inside_in permit tcp host emailserver any eq smtp

access-list acl_inside_in deny tcp any any eq smtp

access-list acl_inside permit ip any any

~Steve

Hall of Fame Super Blue

Re: Restricting outbound email traffic on PIX 515

Steve

You should be able to insert lines on a pix access-list. Do a "sh access-list acl_inside_in" and it should give you you line numbers and then you can just add your lines with the line number where you want to insert the lines.

Your acl looks fine to me.

Jon

New Member

Re: Restricting outbound email traffic on PIX 515

Many thanks. I'll give 'er a try.

~Steve

New Member

Re: Restricting outbound email traffic on PIX 515

All I have there is an access-list acl_inside_in line 1 permit any any.

I don't think we have that access-group applied to an interface.

~Steve

Hall of Fame Super Blue

Re: Restricting outbound email traffic on PIX 515

Okay then, just create a new acl using what you had in your previous post and then apply it. Make sure you have the "permit ip any any" at the end though :-)

Jon

New Member

Re: Restricting outbound email traffic on PIX 515

Jon,

We're running v 6.3 here and I don't see/understand how to incert these statements.

~Steve

Hall of Fame Super Blue

Re: Restricting outbound email traffic on PIX 515

Steve

Apologies, i thought because you hadn't applied the acl to an interface you were just going to create a new access-list ?

If not taking your previous example, you have -

access-list acl_inside_in line 1 permit any any

so

pix(config)# access-list acl_inside_in line 1 deny tcp any any eq smtp

pix(config)# access-list acl_inside_in line 1 permit tcp host emailserver any eq smtp

then a "sh run access-list acl_inside should show

access-list acl_inside_in line 1 permit tcp host emailserver any eq smtp

access-list acl_inside_in line 2 deny tcp any any eq smtp

access-list acl_inside_in line 3 permit any any

Jon

New Member

Re: Restricting outbound email traffic on PIX 515

Jon,

Most kind of you. Many thanks! This should do the trick. Hopefully we don't see any unanticipated effects, but we can remove this list quickly if there are any problems.

~Steve

304
Views
0
Helpful
9
Replies
CreatePlease to create content