Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Allowing SMTP traffic from on a few IP ranges

I need to configure my PIX 506E to only allow SMTP traffic from certain IP ranges to my mail server. However, I am un-sure on the proper method of accomplishing this task. If I put in access lists for each range and nothing else associated with SMTP would that accomplish the task?

Any help would be great!

Thanks,

Michael Laro

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Allowing SMTP traffic from on a few IP ranges

One thing that may help is to use "object grouping". With object grouping, you can group networks, protocols, and services (ftp,smtp, etc...). If you have a handful of IP addresses and/or subnets that you want to allow SMTP access to your mail server, you could do it similar to this. Remember, by default NO traffic can come from the internet, through your outside interface, and in to your private network. So if you say give the following addresses permissions, then only they will be allowed and noone else. Here is an example of object grouping.

SMTP Server address: 172.17.1.1

Addresses you want to allow SMTP: 32.18.7.0/24, 204.215.18.0/24, and 113.113.45.1, and 118.55.34.20.

pixfirewall(config)# object-group network MAIL

pixfirewall(config-network)# network-object 32.18.7.0 255.255.255.0

pixfirewall(config-network)# network-object 204.215.18.0 255.255.255.0

pixfirewall(config-network)# network-object host 113.113.45.1

pixfirewall(config-network)# network-object host 118.55.34.20

Now create your access-list:

pixfirewall(config)# access-list COMING-IN permit tcp object-group MAIL host 172.17.1.1 eq smtp

pixfirewall(config)# access-group COMING-IN in interface outside

This will allow the networks and ip addresses you defined in the network goup called "MAIL" access to your mail server. Hope this helps.

3 REPLIES
Silver

Re: Allowing SMTP traffic from on a few IP ranges

Michael,

Couple of things need to be configured for the smtp access from outside to inside..

static (inside,outside) tcp interface smtp smtp_inside_ip_address smtp

access-list 101 permit tcp network_address mask interface eq smtp

access-group 101 in interface outside

I hope this helps ! Thanks,

Mynul

Community Member

Re: Allowing SMTP traffic from on a few IP ranges

Mynul,

Thanks for the information. That is how I currently have my PIX configured now. I would like to allow only SMTP from a few IP ranges. I am not sure of the proper configurations of this.

Thanks

Community Member

Re: Allowing SMTP traffic from on a few IP ranges

One thing that may help is to use "object grouping". With object grouping, you can group networks, protocols, and services (ftp,smtp, etc...). If you have a handful of IP addresses and/or subnets that you want to allow SMTP access to your mail server, you could do it similar to this. Remember, by default NO traffic can come from the internet, through your outside interface, and in to your private network. So if you say give the following addresses permissions, then only they will be allowed and noone else. Here is an example of object grouping.

SMTP Server address: 172.17.1.1

Addresses you want to allow SMTP: 32.18.7.0/24, 204.215.18.0/24, and 113.113.45.1, and 118.55.34.20.

pixfirewall(config)# object-group network MAIL

pixfirewall(config-network)# network-object 32.18.7.0 255.255.255.0

pixfirewall(config-network)# network-object 204.215.18.0 255.255.255.0

pixfirewall(config-network)# network-object host 113.113.45.1

pixfirewall(config-network)# network-object host 118.55.34.20

Now create your access-list:

pixfirewall(config)# access-list COMING-IN permit tcp object-group MAIL host 172.17.1.1 eq smtp

pixfirewall(config)# access-group COMING-IN in interface outside

This will allow the networks and ip addresses you defined in the network goup called "MAIL" access to your mail server. Hope this helps.

435
Views
5
Helpful
3
Replies
CreatePlease to create content