Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Deny outside SMTP traffic from all EXCEPT mail server

We have a PIX 515E Version 6.3(3).

I'd like to prevent all inside IPs from sending traffic on port 25 EXCEPT our mail server.

Using inside network 10.10.10.xxx

Outside IP 63.252.xxx.xxx

Mail Server 10.10.10.9

Would these work?

access-list smtp_in permit tcp 10.10.10.9 255.255.255.255 63.252.xxx.xxx 255.255.255.255 eq smtp

access-list smtp_in deny tcp any host 63.252.xxx.xxx eq smtp

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Deny outside SMTP traffic from all EXCEPT mail server

You need to add

access-list smtp_in permit tcp host 10.10.10.9 any eq 25

access-list smtp_in deny tcp any any eq 25

access-list smtp_in permit ip any any

Don't forget to apply the ACLs to the inside interface with the command

access-group smtp_in in interface inside

Franco

4 REPLIES
Cisco Employee

Re: Deny outside SMTP traffic from all EXCEPT mail server

You need to add

access-list smtp_in permit tcp host 10.10.10.9 any eq 25

access-list smtp_in deny tcp any any eq 25

access-list smtp_in permit ip any any

Don't forget to apply the ACLs to the inside interface with the command

access-group smtp_in in interface inside

Franco

New Member

Re: Deny outside SMTP traffic from all EXCEPT mail server

worked perfectly!

Thanks Franco

New Member

Re: Deny outside SMTP traffic from all EXCEPT mail server

hi Franco,

why do you need access-list smtp_in permit ip any any?

New Member

Re: Deny outside SMTP traffic from all EXCEPT mail server

Also since this is an inside interface, assuming it has the highest security level, I guess there's an implicit allow rule at the end.

178
Views
0
Helpful
4
Replies