Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX Firewall 5.3 access-list question

Status
Not open for further replies.
Zahundas

Zahundas

IS-IT--Management
Sep 9, 2002
19
0
0
CA
I am trying to set up an access list with the purpose of blocking all the SMTP traffic going out from a host with the ip address 199.218.125.23 (class C network). I am mostly interested of blocking the SMTP traffic, but to be on the safe side I will like to block everything gouing out from that machine.
This has to have no interference with anything else on the network.
This is what I came up with (for the SMTP traffic):

access-list 130 deny smtp any host 199.218.125.23 eq smtp
access-list 130 permit ip any any
access-group 130 in interface inside

Is this correct?
Thanks in advance for your help.
Zahundas
 
Sort by date Sort by votes
"
access-list 130 deny smtp any host 199.218.125.23 eq smtp
access-list 130 permit ip any any
access-group 130 in interface inside
"

In the first line, I don't think that the first "smtp" is legal. You need to specify tcp, udp, icmp, or ip there.

Your statement would read (assuming you fixed the first problem), in english, "block [tcp|udp|icmp|ip] traffic from anybody that is trying to access 199.218.125.23 on port 25 (smtp)." I don't think that's what you're trying to do.

From your message, it sounds like you want to simply deny internet access to that host. An appropriate access list statement for that would be:

access-list 130 deny ip host 199.218.125.23 any

Access lists, unlike conduits, read from - to. This statement, in english: "Deny all ip traffic from 199.218.125.23 to anywhere."

You could add:

eq smtp

to the end of the line to deny ONLY smtp traffic.

Keep the "permit" statement to allow all other hosts' full access.

-db

 
Upvote 0 Downvote
Hi,

What I am trying to accomplish is to block the outgoing traffic from 199.218.125.23. All the examples I have seen for access-lists are for the incoming traffic and I've found just vague references to the filtering of the outgoing traffic.

This host is running as an SMTP smart host for my Exchange 2000 server. I simply want deny the access to internet from that host.

Thanks,
Zahundas
 
Upvote 0 Downvote
This should do it:

access-list 130 deny ip host 199.218.125.23 any
access-list 130 permit ip any any
access-group 130 in interface inside


199.218.125.23 will only be able to communicate with hosts on the inside interface's segment(s).

-db
 
Upvote 0 Downvote
Great, thanks a lot.
I really appreciate your help.

Zahundas
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
150
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
176
Shmid
Shmid
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
71
hairlessupportmonkey
hairlessupportmonkey
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
36
xwray
xwray
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
51
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top