Block Outbound traffic, allowed only to send email

[MITELMX]

I am looking for a solution to only allow my mail server traffic go out and block the rest of the traffic that is going outbound, i tried some solutions posted here, but don't work.
I don't know if i am doing something wrong.

The rules that i use are:

access-list in-to-out permit tcp host 10.x.x.x any
access-group in-to-out in interface inside

If exist an implicit deny, i think this is enough to block the rest of the out going traffic.

Thanks in advance, i keep trying with the rest of the posts.

 

[Supergrrover]

There is an implicit deny ip any any at the end of all ACLs. The rule you have allows any tcp (not udp or icmp) traffic from 10.x.x.x to go out. If you want to limit it to smtp only, then you can change the ACl to be
access-list in-to-out permit tcp host 10.x.x.x any eq smtp

Just be aware that there can't be any dns lookups with this setup.

If you prefer to allow all traffic form that specif ip, then
access-list in-to-out permit ip host 10.x.x.x any



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[MITELMX]

So, with this rule only this address can go out, and the rest will be restricted?

 

[MITELMX]

It is very weird, because if i left the rule as the next:

access-list in-to-out permit tcp host 10.x.x.x any

Some email go to its destination like hotmail, gmail but other not, i mean to others domains.

But i have also some DNS error messages, and it is clear the server is not working normal.

But if i configure the "permit ip host 10.x.x.x any" the mails were stock in the server.

Any idea?

Thanks in advance.

 

[Supergrrover]

Your first post had tcp in the acl, so all dns lookups will fail (being udp) unless it has been cached somewhere.

Once you make a change, you need to clear the translations
clear xlate

that should get them moving again. Also, if you are using Exchange and you have pix 6x code, you will need to disable the smtp fixup. Exchange uses esmtp and that causes it to freeze.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[MITELMX]

Hi again :-(

It's so weird, i made all that you said above, and not works, at this moment i have these three lines:

access-list in-to-out permit tcp any any
access-list in-to-out permit udp any any
access-list in-to-out permit icmp any any

and the emails go out normally, but when i try to configure the same lines but only for one host or i try to configure as you say with 'ip' and disable fixup smtp, the email are stocking in the server.
Other test that i made was with the dns and ping from the email server and i have good response.

Thanks in advance.

 

[Supergrrover]

That is weird, those three lines can be summed up as
access-list in-to-out permit ip any any

Maybe something else is going on there. Can you post a config?
(Remove all passwords and mask the external IP 2nd and 3rd octets with a search and replace - they show up all over the place.)


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[MITELMX]

Thank you Supegrrover, i reconfigured as you say and now is working, there are some issues with the DNS but is in Germany and i need to wait until monday, but at least the PIX is working fine... Thank you very much for you support was very helpful.