Make a PayPal Donation

Lijit Search

 
  KB 0000172
  Dated 26/01/10
  Revision 0.01
   
Cisco ASA - Only Allow Mail Servers SMTP Outbound
 
Problem

Its not unusual for nasty Virus's and Malware once they have infected a machine, to set up outbound communications on the mail protocol SMTP (TCP Port 25), which can lead to your public address being blacklisted.

So it's considered good practice to stop all your clients getting mail access outbound through your firewall, while still allowing your mail server.

Note: On Cisco firewall's, access lists are processed in order - so the ALLOW must come before the DENY, they are read from the top down (If you don't have a clue what I'm talking about don't worry).
Solution
Option 1 Via Command Line
1. Connect to the firewall, go to enable mode.

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> en
Password: ********
PetesASA#
2. Now you need to find if an access control list is being applied to your inside interface, to do that issue the "show run access-group" command, below are two possible results

Result 1 (there IS NOT an access list applied to the inside Interface).

PetesASA# show run access-group
access-group inbound in interface outside
PetesASA#

Result 2 (There IS and access List applied to the inside interface).

PetesASA# show run access-group
access-group outbound in interface inside <Here it is
access-group inbound in interface outside

Note:In the Example above the Access List is called "outbound" it can be called anything!
3. Now you need to allow your mail server SMTP access (In this example my mail server is on 10.254.254.5), then deny SMTP to everyone else, Then allow everything else. (REMEMBER with Cisco firewalls, once you have an access list everything that is not allowed is DENIED that's why you need to allow at the end. (To see this look in the ASDM you will see an "Implicit Deny" at the end.

Note: If you already had an outbound access list (Result 2 above), substitute the name of yours for the work outbound below.

PetesASA# configure terminal
PetesASA(config)# access-list outbound permit tcp host 10.254.254.5 any eq smtp
PetesASA(config)# access-list outbound deny tcp any any eq smtp
PetesASA(config)# access-list outbound permit ip any any
PetesASA(config)#

4. If you already had an access list applied (result 2 above) then you are finished skip to step 5 to save, If you DID NOT then you need to apply the access list you just created to the inside interface, with an access-group command.
Note: Only do this if you got Result 1 above.

PetesASA(config)#
PetesASA(config)# access-group outbound in interface inside
PetesASA(config)#
5. Save your hard work with a "write mem" command.

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
Option 2 Connect via ASDM
1. Connect to the ASDM, and add a rule allowing your host to SMTP (At the top!).
2. Below that create a rule that denies SMTP from "any" to "any".
3. Below that create a rule that allows "ip" from "any" to "any".

4. This is what it should look like when you are finished.
5. Finally save the config, click File > Save running config to flash.
References - Credits - Or External Links
NA

 


Bookmark and Share