Pix 506e: Allowing port 25 only from a single IP address

[gscheepers]

Hi,

I'm trying to allow only port 25 smtp traffic from the Exchange server and no other internal device.

I'd be grateful if you could point me in the right direction.

Many thanks in advance!

 

[unclerico]

i would need to see your entire ACL, but it would be:

access-list <acl_name> extended permit tcp host <exchange_server_ip> any eq smtp

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[gscheepers]

Thanks...! Here's the current config:

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname ********
domain-name *********
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service OWA tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object range 3389 3389
access-list compiled
access-list outside-in permit esp any any
access-list outside-in permit icmp any any echo-reply
access-list outside-in permit icmp any any time-exceeded
access-list outside-in permit icmp any any unreachable
access-list outside-in permit tcp any any eq ssh
access-list outside-in permit udp any any eq isakmp
access-list outside-in deny tcp any any eq 135
access-list outside-in deny udp any any eq 135
access-list outside-in permit tcp any interface outside object-group OWA
access-list outside-in deny tcp any any eq 1863
access-list outside-in permit tcp any host 10.0.0.0 eq ssh
access-list outside-in permit tcp any host 10.0.0.0 eq smtp
access-list outside-in permit tcp any any eq ftp
access-list outside-in permit tcp any any eq ldap
access-list outside-in permit udp any any eq 389
access-list outside-in permit tcp any any eq 3368
access-list outside-in permit tcp any any eq 88
access-list outside-in permit udp any any eq 88
access-list outside-in permit tcp any any eq imap4
access-list outside-in permit tcp any any eq www
access-list outside-in permit tcp any any eq smtp
access-list inside-out deny tcp any any eq 135
access-list inside-out deny tcp any any eq 137
access-list inside-out deny tcp any any eq 138
access-list inside-out deny tcp any any eq netbios-ssn
access-list inside-out deny udp any any eq 135
access-list inside-out deny udp any any eq netbios-ns
access-list inside-out deny udp any any eq netbios-dgm
access-list inside-out deny udp any any eq 139
access-list inside-out permit ip any any
access-list inside-out permit udp any any eq isakmp
access-list inside-out deny tcp any any eq 1863
access-list inside-out deny tcp any any eq 6901
access-list inside-out deny udp any any eq 1863
access-list inside-out deny udp any any eq 5190
access-list inside-out deny udp any any eq 6901
access-list inside-out deny tcp any any eq 4531
access-list inside-out deny udp any any eq 4531
access-list inside-out permit tcp any host 10.0.0.0 eq smtp
access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.0.0.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0
access-list outside_cryptomap_30 permit ip 10.0.0.0 255.0.0.0 172.16.10.0 255.255.255.0
access-list outside_cryptomap_40 permit ip 10.0.0.0 255.0.0.0 192.168.5.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap notifications
logging device-id hostname
logging host inside 10.*.*.*
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
mtu outside 1500
mtu inside 1500
ip address outside 10.*.*.* 255.255.255.0
ip address inside 10.*.*.* 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 10.*.*.*-10.*.*.*
pdm location 10.0.0.0 255.0.0.0 inside
pdm location 10.*.*.* 255.255.255.255 inside
pdm location 10.*.*.* 255.255.255.255 inside
pdm location 10.*.*.* 255.255.255.255 inside
pdm location 10.*.*.* 255.255.255.192 outside
pdm location 172.*.*.* 255.255.255.0 outside
pdm location 172.*.*.* 255.255.0.0 outside
pdm location 192.*.*.* 255.255.255.0 outside
pdm location 10.*.*.* 255.255.255.255 inside
pdm location 10.*.*.* 255.255.255.255 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) tcp interface ssh 10.*.*.* ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 10.*.*.* ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface

http://www 10.*.*.*

http://www netmask

255.255.255.255 0 0
static (inside,outside) tcp interface https 10.*.*.* https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 10.*.*.* imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 10.*.*.* 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.*.*.* smtp netmask 255.255.255.255 0 0
access-group outside-in in interface outside
access-group inside-out in interface inside
route outside 0.0.0.0 0.0.0.0 10.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 195.0.0.0 source outside
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server location *******
snmp-server contact *******
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set traffic esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 194.0.0.0
crypto map outside_map 20 set transform-set traffic
crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 90.0.0.0
crypto map outside_map 30 set transform-set traffic
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 195.0.0.0
crypto map outside_map 40 set transform-set traffic
crypto map outside_map interface outside
isakmp enable outside
isakmp enable inside
isakmp key ******** address 194.0.0.0 netmask 255.255.255.255
isakmp key ******** address 90.0.0.0 netmask 255.255.255.255
isakmp key ******** address 195.0.0.0 netmask 255.255.255.255
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication pap
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local VPN
vpdn group PPTP-VPDN-GROUP client configuration dns 10.*.*.* 10.*.*.*
vpdn group PPTP-VPDN-GROUP client configuration wins 10.*.*.*
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn enable outside
vpdn enable inside
vpnclient server 10.*.*.*
vpnclient mode client-mode
vpnclient vpngroup VPN password ********
terminal width 80

 

[unclerico]

[b]access-list inside-out permit tcp host 10.0.0.25 any eq smtp[/b]
[b]access-list inside-out deny tcp any any eq smtp[/b]
access-list inside-out deny tcp any any eq 135 
access-list inside-out deny tcp any any eq 137 
access-list inside-out deny tcp any any eq 138 
access-list inside-out deny tcp any any eq netbios-ssn
access-list inside-out deny udp any any eq 135 
access-list inside-out deny udp any any eq netbios-ns
access-list inside-out deny udp any any eq netbios-dgm
access-list inside-out deny udp any any eq 139 
[b][s]access-list inside-out permit ip any any[/s][/b] 
access-list inside-out permit udp any any eq isakmp 
access-list inside-out deny tcp any any eq 1863 
access-list inside-out deny tcp any any eq 6901 
access-list inside-out deny udp any any eq 1863 
access-list inside-out deny udp any any eq 5190 
access-list inside-out deny udp any any eq 6901 
access-list inside-out deny tcp any any eq 4531 
access-list inside-out deny udp any any eq 4531 
[b][s]access-list inside-out permit tcp any host 10.0.0.0 eq smtp[/s][/b] 
[b]access-list inside-out permit ip any any[/b]

when coding an ACL you want to place more specific entries first (more efficient). notice the first bolded entry; this permits SMTP traffic from your Exchange server (10.0.0.25 is a made up host address). the second bolded entry denies smtp from any to any (added due to your permit ip any any at the bottom). the third bolded item removes your permit ip any any from its current position since you in effect bypassing the rest of your deny statements below it. the fourth bolded item removes your smtp rule since the source and destinations are incorrect. the fifth bolded item places the permit ip any any in the correct location so that your more specific ACE's are evaluated first.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)