Blocking outbound SMTP traffic 1

[sapper1]

We have recently been hit with a mass mailer virus which resulted in blacklisting. I would like to block outbound port 25 traffic from all internal IPs except two but I am having a little bit of trouble getting it to work. Here is the ACL I was told to use but it took down internet access completely.

access-list acl_out permit tcp host X.X.X.X any eq 25
access-list acl_out permit tcp host x.x.x.x any eq 25
access-list acl_out deny tcp any any eq 25
access-list acl_out permit ip any any
access-group acl_out in interface inside

The last line in the ACL gives me another question. I already have two ACLs in my PIX how can I tell which interface they are applied to? Because if one is already applied to the inside interface I should be able to modify it to block the traffic without creating another ACL.

 

[unclerico]

you could write that acl like this:

access-list acl_out permit tcp host x.x.x.x any eq 25
access-list acl_out permit tcp host x.x.x.x any eq 25
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp any any eq https
access-list acl_out permit udp any any eq domain

access-group acl_out in interface inside

So according to the ACL above only two hosts can send SMTP traffic, all http, https, and dns are allowed out. There is an implied deny ip any any at the bottom of the ACL.

The easiest way for you to tell is to just do a show run | in access-group and you can see what ACL is applied where and in what direction. Chances are your other ACL is inbound on the outside interface.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sapper1]

That appears to have done the trick. Thanks!

 

[drummelhart]

also be careful with the smtp fixups. I had to disable mine because it does not allow Exchange access to the clouds

 

[sapper1]

Ok so now I have my acl in place and it is working as expected. However, we have several programs here that require other ports to be open and it seems like I need to open up more ports on a daily basis and most of the time I have to call support to find out which ports I need to open and it can take a long time to get this info. Is there any way to view the traffic that is being dropped by the PIX so that I can identify which ports I need to open more quickly.

 

[unclerico]

yes, enable logging. the very last line of your acl_out should read like this:

access-list acl-out deny ip any any log

then, enable logging on the device:

logging enable
logging asdm informational

Alternatively you could setup a syslog server and have the pix forward the log entries to it. You might find that informational level of logging is too verbose for your liking so you might change it to warning instead.

In order to view the log entries you'll need to enter sh logging asdm. Since you now have enabled logging for asdm you can also open the asdm console and look at the logs.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[drummelhart]

show logging.

If they know what they need open, it may be best to find the iana port guide. Then you can enable or disable what is needed.