Register

Forgot Password

Site FAQ

Home > IT Answers > Security > Cisco ASA 5505 Limit IP that can send mail to...

Edctech

45 pts.

Cisco ASA 5505 Limit IP that can send mail to the Internal network

Cisco ASA 5505, Spam prevention, MX record, Cisco 5505, Cisco Adaptive Security Appliance

We have a spam blocker that sits on the Internet and forwards clean mail to our Exchange server. The MX record points to this IP, but we are still getting a lot of spam that never passes through our spam blocker. I have confirmed that it is not an internal spambot.
Question: How do I configure the ASA to only allow the Spam blocker IP to send mail to our internal network?

ASKED: May 8 2009 3:10 AM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

KevinBeaver

7610 pts.

RATE THIS ANSWER

+2
Click to Vote:

This is a common problem - especially if you've used this IP to host email previously. I'm not a Cisco admin and don't know the steps off the top of my head but you should be able to setup a basic rule that allows SMTP from your filtering system's IP to your server's IP and drop everything else.

Last Answered: May 8 2009 5:11 PM GMT by KevinBeaver

7610 pts.

View History

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

BlankReg 11280 pts. | May 8 2009 9:27PM GMT

KevinBeaver is basically right. You need to create an access list that allows mail from the spam blocker, but not from anywhere else. It will also need to allow any other traffic to any hosted systems, such as a web server. It will also block anything else that is not implicitly allowed, as there is an implied deny everything at the end of any access list.

It should look sometihng like this

access-list Internet-In permit tcp host {IP of spam blocker} host {public IP of your Mailhost} eq 25
access-list Internet-In deny ip any host {public IP of your Mailhost}
access-list Internet-In permit [other services you want to allow in]

Then apply this to the inbound traffic on the ‘outside’ interface with the command

access-group Internet-In in interface outside

Then the only mail traffic that will hit your mail server will be from the spam blocker.

PM me if you need something more detailed for your particular network.

Edctech 45 pts. | May 9 2009 1:36AM GMT

Thanks for the information and it worked perfectly. I knew it had to be a rule, but I was looking at the static routes and not the access list. Thanks again, and by the way it did stop the spam instantly.

Vnoome 130 pts. | May 11 2009 5:02PM GMT

Good posting BLankReq!!!

BlankReg 11280 pts. | May 11 2009 6:12PM GMT

Thanks Guys - I appreciate the feedback

Ask a Question

Browse IT Answers by Topic

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map