Solved: Deny outside SMTP traffic from all EXCEPT mail server

chuston001 · ‎10-27-2005

We have a PIX 515E Version 6.3(3).

I'd like to prevent all inside IPs from sending traffic on port 25 EXCEPT our mail server.

Using inside network 10.10.10.xxx

Outside IP 63.252.xxx.xxx

Mail Server 10.10.10.9

Would these work?

access-list smtp_in permit tcp 10.10.10.9 255.255.255.255 63.252.xxx.xxx 255.255.255.255 eq smtp

access-list smtp_in deny tcp any host 63.252.xxx.xxx eq smtp

fzamora · ‎10-27-2005

You need to add

access-list smtp_in permit tcp host 10.10.10.9 any eq 25

access-list smtp_in deny tcp any any eq 25

access-list smtp_in permit ip any any

Don't forget to apply the ACLs to the inside interface with the command

access-group smtp_in in interface inside

Franco

fzamora · ‎10-27-2005

You need to add

access-list smtp_in permit tcp host 10.10.10.9 any eq 25

access-list smtp_in deny tcp any any eq 25

access-list smtp_in permit ip any any

Don't forget to apply the ACLs to the inside interface with the command

access-group smtp_in in interface inside

Franco

chuston001 · ‎10-27-2005

worked perfectly!

Thanks Franco

joaquimlopes · ‎10-27-2005

hi Franco,

why do you need access-list smtp_in permit ip any any?

haithamnofal · ‎10-27-2005

Also since this is an inside interface, assuming it has the highest security level, I guess there's an implicit allow rule at the end.