Re: Filter SMTP

amacdos · ‎08-16-2002

Hi there, I am trying to add more statements like

Actually I am trying to filter outside network to access our SMTP server

access-list inbound permit icmp any any

* access-list inbound permit host 209.31.227.0 host 202.172.47.6 eq smtp

access-list inbound permit tcp any host 202.172.47.6 eq pop3

access-list inbound permit tcp any host 10.0.12.12 eq smtp

access-list inbound permit tcp any host 10.0.12.12 eq pop3

access-list inbound permit tcp any host 202.172.47.6 eq smtp

access-list inbound permit tcp any host 203.172.13.68 eq smtp

* new statements

but after adding the statements, my PIX went down , it means it coulnd't receive any emails any more , and I checked using sh access-list , the new statements (*) that I added , did not work , no counter

Any idea , what happens ?

Thanks in advance

alexis.fidalgo · ‎08-16-2002

access-list inbound permit host 209.31.227.0 host 202.172.47.6 eq smtp

in this statement is missing the protocol

access-list inbound permit tcp host 209.31.227.0 host 202.172.47.6 eq smtp

amacdos · ‎08-16-2002

I am sorry , I think I put it wrongly ,

this is my PIX access-list;

access-list inbound permit icmp any any

access-list inbound permit tcp any host 202.156.59.3 eq pop3

access-list inbound permit tcp any host 202.156.59.3 eq smtp

access-list inbound deny tcp host 216.0.0.0 host 202.156.59.3 eq smtp

access-list inbound deny tcp host 217.0.0.0 host 202.156.59.3 eq smtp

after sh access-list , the deny statements were not executed,

I have tried this but still the same,

access-list inbound permit icmp any any

access-list inbound deny tcp host 216.0.0.0 host 202.156.59.3 eq smtp

access-list inbound deny tcp host 217.0.0.0 host 202.156.59.3 eq smtp

access-list inbound permit tcp any host 202.156.59.3 eq pop3

access-list inbound permit tcp any host 202.156.59.3 eq smtp

I am still new in PIX , hope somebody can help me , thanks for Alexis

thult · ‎08-21-2002

The last line of an access-list is always "deny all", i.e "access-list inbound deny ip all all"

If you like to specify some networks that cannot reach your SMTP-server you have to put those statements before your permit line, which permits everyone.

If you like to deny SMTP-traffic from 216.0.0.0 and 217.0.0.0 networks the access-lists should be as follows:

access-list inbound deny tcp 216.0.0.0 255.0.0.0 host 202.156.59.3 eq smtp

access-list inbound deny tcp 217.0.0.0 255.0.0.0 host 202.156.59.3 eq smtp

This, since those addresses are not host-addresses.

Regards

//Tomas

amacdos · ‎08-21-2002

Thanks Tomas,

I believe it should be like below,

access-list inbound permit icmp any any

access-list inbound deny tcp 216.0.0.0 255.0.0.0 host 202.156.59.3 eq smtp

access-list inbound deny tcp 217.0.0.0 255.0.0.0 host 202.156.59.3 eq smtp

access-list inbound permit tcp any host 202.156.59.3 eq pop3

access-list inbound permit tcp any host 202.156.59.3 eq smtp

After putting in this statements , do I need to issue any other commands ;

like clear xlate.Because when delete the access-list inbound and

I have put the the new statements , and there's no SMTP traffic.

am i missing and steps?