Blocking from Email

[staboogie]

I believe someone is attacking my exchange server. I know a range of IPs that is taking up my ports. How do I block this range from accessing my smtp port or my company at all? I have a Pix 506 firewall version 6.2.

 

[308win]

first line of your outside-in acl deny the addresses
something to the effect of

access-l outside-in line 1 deny ip x.y.z.0 255.255.255.0 any

If you have control of the router between you and your ISP you could do it there also.

 

[staboogie]

Thanks. I already have a allow any to the exchange server, how can I make sure this is before that?

 

[308win]

oop's the 'line 1' part of the command is new with version 6.3 if I remember correctly. Upgrading to 6.3 makes editing ACL's much easier.
Since you are using version 6.2, you'll need to copy the old list into notepad, edit it (add the new line in front of all the other commands), clear the old list on your pix and paste the modified list back.


you say you have an 'allow any' to the exchange server. Do you mean you allow any eq smtp and allow any eq pop3. If you have a plain 'permit ip any host exchange-server' then your machine is wide open to any hacking attempts.

 

[staboogie]

i have allow any smtp and allow any pop3. maybe i'll upgrade to 6.3 for the editing but what i'd like to do is block a range of IPs. I see IPs ranging from 219.x.x.x to 222.x.x.x connecting to my exchange and i'd like to stop that but dont know the syntax.