Announcement

Collapse
No announcement yet.

Configure Cisco asa 5505 to deny outgoing smtp traffic except to my mailhost

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configure Cisco asa 5505 to deny outgoing smtp traffic except to my mailhost

    Hi guys,

    I need help. I have recently been blacklisted and I currently have to delist ip manualy or restart dsl modem to get another dhcp wan ip. This workaround doesn't
    last more than a day before I am relisted.

    I have a cisco asa 5505 pix connected to my dsl modem and then to my internal lan.

    I am being blacklisted because some infected machine on lan has spam generating virus pumping spam out on port 25.

    Our mail is hosted externally so everyone also uses port 25 with the mail clients to pop and smtp mail to mail host (ip).

    Objective
    To create rule on firewall to block smtp traffic from all host on internal lan
    except if destined to my external mail host.

    Any help appreciated if possible. Thanks in advance
    Last edited by willing; 5th June 2009, 03:44.

  • #2
    Re: Configure Cisco asa 5505 to deny outgoing smtp traffic except to my mailhost

    1. Find the host with the virus, anything could be on it including remote access! Turn it off.
    2. The command, assuming you want everything else to work is:

    Code:
    access-list inbound_on_inside permit tcp any host 1.1.1.1 eq smtp
    access-list inbound_on_inside deny tcp any any eq smtp
    access-list inbound_on_inside permit ip any any
    access-group inbound_on_inside in interface inside
    You can lock it down more if you require of course. The basics are:
    1. Allow smtp to the public host of 1.1.1.1
    2. Deny smtp to anywhere else
    3. Allow everything else.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: Configure Cisco asa 5505 to deny outgoing smtp traffic except to my mailhost

      thanx br0

      Ill try implement

      Comment


      • #4
        Re: Configure Cisco asa 5505 to deny outgoing smtp traffic except to my mailhost

        Hi is it easier or possible to do this from ASDM or should i just connect console cable and connect from hyperterminal and try these cmds
        Last edited by willing; 6th June 2009, 15:05.

        Comment


        • #5
          Re: Configure Cisco asa 5505 to deny outgoing smtp traffic except to my mailhost

          I've never used ASDM. The theory is it should be fairly easy though, give it a try!

          If you want to use the console then have a look at the config to see if there already is an access-list on the inside interface as we may have to merge them.
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: Configure Cisco asa 5505 to deny outgoing smtp traffic except to my mailhost

            I'm working on doing nearly the same thing, except that our exchange server is inside the network. We had the same issue with spammers and want to lock down smtp for everything except for the exchange server. How would we modify that config to get that done? Thanks in advance.

            Comment

            Working...
            X