SMTP Lockdown on a ASA 5505 to specific IP addresses

paulcowburn2409 · ‎03-07-2014

Dear all,

We are trying to allow only a specific IP range to connect to our email server on port 25 from an external source.

We are using NAT object policy to allow SMTP traffic through the firewall but this has been configured to allow all SMTP servers to connect on port 25 (resulting in SPAM)

I have attached the NAT Object rules below currently configured:

object network obj_any

nat (inside,outside) dynamic interface

object network imap4

nat (inside,outside) static interface service tcp imap4 imap4

object network smtp

nat (inside,outside) static interface service tcp smtp smtp

object network pop3

nat (inside,outside) static interface service tcp pop3 pop3

object network security1

nat (inside,outside) static interface service tcp 3333 3333

object network security2

nat (inside,outside) static interface service tcp 3000 3000

object network 993

nat (inside,outside) static interface service tcp 993 993

object network 995

nat (inside,outside) static interface service tcp 995 995

object network smtps

nat (inside,outside) static interface service tcp 587 587

object network http

nat (inside,outside) static interface service tcp www www

object network 465

nat (inside,outside) static interface service tcp 465 465

object network imapudp

nat (inside,outside) static interface service udp 143 143

object network imapssl

nat (inside,outside) static interface service tcp 585 585

object network 993udp

nat (inside,outside) static interface service udp 993 993

object network 587udp

nat (inside,outside) static interface service udp 587 587

object network bes

nat (inside,outside) static interface service tcp domain domain

object network besudp

nat (inside,outside) static interface service udp domain domain

object network 3101bes

nat (any,outside) static interface service tcp 3101 3101

object network 465udp

nat (inside,outside) static interface service udp 465 465

object network RDP-3391

nat (any,outside) static interface service tcp 3389 3391

object network HYLBKP1

nat (any,outside) static interface service tcp 3389 3392

object network Exchange_OWA_Private

nat (inside,outside) static interface service tcp https https

I feel the issue can be resolved by adding ACL into the firewall, however, when I have added the below lines into the firewall and deleted the NAT object policy for SMTP, we can not receive any email.

access-list outside_access_in extended permit tcp 84.xxx.xxx.xxx 255.255.255.128 host 192.168.xxx.xxx eq smtp

access-list outside_access_in extended permit tcp 82.xxx.xxx.xxx 255.255.255.224 host 192.168.xxx.xxx eq smtp

Any help or guidence on this would be greatly appreciated as we are being bombarded with SPAM currently and require this lockdown quoet urgently.

Kind regards
Paul

jj27 · ‎03-07-2014

You still need the NAT entry to map port 25 (smtp) to your internal host and then add the access-list entry on your outside interface like you had mentioned. You will want to make sure you remove any entries from the access-list that would permit any any eq smtp.

Overall configuration would look something like this:

object network smtp

host 192.168.x.x

nat (inside,outside) static interface service tcp smtp smtp

access-list outside_access_in extended permit tcp 84.xxx.xxx.xxx 255.255.255.128 host 192.168.xxx.xxx eq smtp

access-list outside_access_in extended permit tcp 82.xxx.xxx.xxx 255.255.255.224 host 192.168.xxx.xxx eq smtp

access-group outside_access_in in interface outside