Question

Locked

access-list creation

By siphoakasiwa ·
I have a cisco Pix and i wanted to create an access-list that only allows my email server to send out smtp (some client machines on the network get infected and act as spam servers..)

There two interfaces that were created on the pix; but i want to apply the smtp block rule on the inside interface.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

PIX acl

by wdewey In reply to access-list creation

What I did in this scenario is allowed traffic from the mail server and then denied traffic from any other machine. I use ports 25, 26 and 465 because they are all commmon SMTP type ports. In case you are not familiar with ACL's the 'block_smtp' is just the name of the ACL and has no affect on how the ACL runs. You could change this if you want, but if you do then change it on every line. Also changing the order of how these are applied will change how the ACL operates. If you need to remove any items simply put a 'no' in front of them.

access-list block_smtp permit tcp any host x.x.x.x eq smtp
access-list block_smtp permit tcp any host x.x.x.x eq 26
access-list block_smtp permit tcp any host x.x.x.x eq 465
access-list block_smtp deny tcp any any eq smtp
access-list block_smtp deny tcp any any eq 26
access-list block_smtp deny tcp any any eq 465

access-group block_smtp in interface inside

Bill
edited to fix cut and paste error and add additional instructions.

Collapse -

re: PIX

by siphoakasiwa In reply to PIX acl

Okay i did that the hit count on the access-list was showing 0; but the deny smtp rule was showing alot of hits. instead of placing the mail server ip address can i use the computer/dns name?
Its like the pix is not recognising the mailserver ip i put in the acl? P.S. i made sure that added the acl to the inside interface.

Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums