PIX 7.23 ACL Question

hypnotoadhypnotoad Banned Posts: 915
Trying to block outbound SMTP outbound for everyone in 10.10.0.0/16 except those users in the 10.10.0.0/22.

pix515e(config)# show access-list block_smtp_outbound
access-list block_smtp_outbound; 3 elements
access-list block_smtp_outbound line 1 extended permit tcp 10.10.0.0 255.255.252.0 any eq smtp (hitcnt=0) 0xac3ac452
access-list block_smtp_outbound line 2 extended deny tcp 10.10.0.0 255.255.0.0 any eq smtp log critical interval 300 (hitcnt=0) 0xdda81abc
access-list block_smtp_outbound line 3 extended permit ip any any (hitcnt=4974) 0x06b0b649

pix515e(config)# show run | i access-group
access-group block_smtp_outbound in interface inside

Can't figure out why i'm not getting any hits in my first 1&2 lines of the ACL?? Anybody have any ideas?

Comments

  • hypnotoadhypnotoad Banned Posts: 915
    pix515e(config)# access-list 105 permit tcp host 10.10.0.211 any eq smtp
    pix515e(config)# access-list 105 deny tcp any any eq smtp log alert
    pix515e(config)# access-list 105 permit ip any any
    pix515e(config)# access-group 105 in interface inside

    Cleaner version of almost the same thing. Still getting 0's on my hitcnt. Is it truely possible that nobody on my 2000 user network is trying to make an outgoing SMTP connection?
  • meadITmeadIT Member Posts: 581 ■■■■□□□□□□
    Have you tried to make an SMTP connection so that you can definitely say the firewall is/isn't blocking attempts?
    CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate
  • mikearamamikearama Member Posts: 749
    What do you use for mail clients? Are you using Exchange or Notes?

    I suspect that your clients are conversing properly with the mail servers (either mapi/135 or lotusnotes/1352), so you shouldn't see client initiated smtp traffic. I'm not even sure how a client would send smtp publicly... I guess they'd have to install a sendmail client, or run IAS or some such nonsense that can generate smtp without the aid of exchange/notes.

    The servers, though, as I understand it, do send emails publicly via port 25, so you should be able to see that traffic generated... providing the servers are inside your network. Our IronPorts (for Notes) are outside our ASA's and the MX record resolves directly to them, so I don't see the smtp traffic from them on the ASA's.

    Just thinking out loud... hope something in there helped.
    Mike
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
  • hypnotoadhypnotoad Banned Posts: 915
    mikearama wrote: »
    What do you use for mail clients? Are you using Exchange or Notes?

    I suspect that your clients are conversing properly with the mail servers (either mapi/135 or lotusnotes/1352), so you shouldn't see client initiated smtp traffic. I'm not even sure how a client would send smtp publicly... I guess they'd have to install a sendmail client, or run IAS or some such nonsense that can generate smtp without the aid of exchange/notes.

    The servers, though, as I understand it, do send emails publicly via port 25, so you should be able to see that traffic generated... providing the servers are inside your network. Our IronPorts (for Notes) are outside our ASA's and the MX record resolves directly to them, so I don't see the smtp traffic from them on the ASA's.

    Just thinking out loud... hope something in there helped.
    Mike

    Yeah man, we have Exchange and it works fine -- the problem is that we had some spam zombies activated in the middle of the night so they started bursting out SMTP traffic from the LAN. I actually got the ACL sitting here and working (now), and I'm waiting for my syslog to blow up so I can track them down to a port.

    Thanks for the replies guys.
Sign In or Register to comment.