Register

Forgot Password

Site FAQ

Home > IT Answers > Networking > Cisco ASA 5505 Limit IP that can send mail to the Internal network

Edctech

45 pts.

Cisco ASA 5505 Limit IP that can send mail to the Internal network

Cisco 5505, Cisco Adaptive Security Appliance, Cisco ASA 5505, MX record, Spam prevention

We have a spam blocker that sits on the Internet and forwards clean mail to our Exchange server. The MX record points to this IP, but we are still getting a lot of spam that never passes through our spam blocker. I have confirmed that it is not an internal spambot. Question: How do I configure the ASA to only allow the Spam blocker IP to send mail to our internal network?

Software/Hardware used:

ASKED: May 8, 2009 3:10 AM

UPDATED: May 11, 2009 6:12 PM

RELATED QUESTIONS

Answer Wiki:

This is a common problem - especially if you've used this IP to host email previously. I'm not a Cisco admin and don't know the steps off the top of my head but you should be able to setup a basic rule that allows SMTP from your filtering system's IP to your server's IP and drop everything else.

Last Wiki Answer Submitted: May 8, 2009 5:11 pm by KevinBeaver

10,785 pts.

All Answer Wiki Contributors: KevinBeaver

10,785 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: May 8, 2009 9:27 PM (GMT)

KevinBeaver is basically right. You need to create an access list that allows mail from the spam blocker, but not from anywhere else. It will also need to allow any other traffic to any hosted systems, such as a web server. It will also block anything else that is not implicitly allowed, as there is an implied deny everything at the end of any access list.

It should look sometihng like this

access-list Internet-In permit tcp host {IP of spam blocker} host {public IP of your Mailhost} eq 25
access-list Internet-In deny ip any host {public IP of your Mailhost}
access-list Internet-In permit [other services you want to allow in]

Then apply this to the inbound traffic on the ‘outside’ interface with the command

access-group Internet-In in interface outside

Then the only mail traffic that will hit your mail server will be from the spam blocker.

PM me if you need something more detailed for your particular network.

BlankReg

12,215 pts.

POSTED: May 9, 2009 1:36 AM (GMT)

Thanks for the information and it worked perfectly. I knew it had to be a rule, but I was looking at the static routes and not the access list. Thanks again, and by the way it did stop the spam instantly.

Edctech

45 pts.

POSTED: May 11, 2009 5:02 PM (GMT)

Good posting BLankReq!!!

Vnoome

175 pts.

POSTED: May 11, 2009 6:12 PM (GMT)

Thanks Guys – I appreciate the feedback

BlankReg

12,215 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags