I've got a PIX 515 running 6.3(3). As an extra added security measure in the face of viruses, I want to make sure that only 1 system in our DMZ can send e-mail messages out to port 25 on any IP address outside of our network. If an infected machine tries to start spewing mail with its own SMTP connections, the firewall will block it. If the infected machine uses our outgoing mail system in the DMZ, we're still screwed.
There is a global pool defined for our outside interface. The allowable connection will come from one machine in our DMZ. We want to block attempts from any other machine on any higher level interface from getting out.
I'm having a tough time trying to figure out where to place the access list. My first thought was to put it on the outside interface, but I don't think that's going to work because the traffic is outbound from the outside interface. There are certainly no access lists in place on the outside interface that specifically allow the NAT'd and PAT'd traffic that works correctly now.
Legitimate mail from our users is sent to the Exhchange server and then the Exchange servers sends it via SMTP to the outgoing mail server in the DMZ. So, legitimate traffic is clearly defined as one machine in the DMZ sending out to the internet on port 25.
I'm not sure your example will work in my situation. There is a machine in the DMZ that accepts all of the incoming mail for our company and then forwards it from the DMZ up to the Exchange server (which is at a higher level on the PIX). The good news is that legitimate incoming mail from the DMZ to Exchange will always come from 1 system in the DMZ to 1 system on the inside (the Exchange server).
Because we have a global pool set up, any illegitimate outbound traffic from the inside interface to the outside wouldn't go to the DMZ--it would just use the global pool to go directly outside. I guess I'm struggling with where to place the access list because this is outbound traffic and access lists affect traffic inbound to an interface. I'm not sure I can find a place to grab hold of this traffic.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :