Cisco ASA 5505 Limit IP that can send mail to the Internal network

45 pts.
Cisco 5505
Cisco ASA
MX record
Spam prevention
We have a spam blocker that sits on the Internet and forwards clean mail to our Exchange server. The MX record points to this IP, but we are still getting a lot of spam that never passes through our spam blocker. I have confirmed that it is not an internal spambot. Question: How do I configure the ASA to only allow the Spam blocker IP to send mail to our internal network?

Answer Wiki

Thanks. We'll let you know when a new response is added.

This is a common problem – especially if you’ve used this IP to host email previously. I’m not a Cisco admin and don’t know the steps off the top of my head but you should be able to setup a basic rule that allows SMTP from your filtering system’s IP to your server’s IP and drop everything else.

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • BlankReg
    KevinBeaver is basically right. You need to create an access list that allows mail from the spam blocker, but not from anywhere else. It will also need to allow any other traffic to any hosted systems, such as a web server. It will also block anything else that is not implicitly allowed, as there is an implied deny everything at the end of any access list. It should look sometihng like this access-list Internet-In permit tcp host {IP of spam blocker} host {public IP of your Mailhost} eq 25 access-list Internet-In deny ip any host {public IP of your Mailhost} access-list Internet-In permit [other services you want to allow in] Then apply this to the inbound traffic on the 'outside' interface with the command access-group Internet-In in interface outside Then the only mail traffic that will hit your mail server will be from the spam blocker. PM me if you need something more detailed for your particular network.
    12,325 pointsBadges:
  • Edctech
    Thanks for the information and it worked perfectly. I knew it had to be a rule, but I was looking at the static routes and not the access list. Thanks again, and by the way it did stop the spam instantly.
    45 pointsBadges:
  • Vnoome
    Good posting BLankReq!!!
    175 pointsBadges:
  • BlankReg
    Thanks Guys - I appreciate the feedback :-)
    12,325 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: