cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
maxpower
New Contributor

Block outgoing port 25 for all but server?

Jump to solution

I've been searching and can't find an answer to this question: I would like to block all outgoing port 25 traffic except for my email server on a NetVanta 1335 with firmware R10.1.0.E. After much research and looking through the NetVanta I'm just not sure how to accomplish this. Any advice would be greatly appreciated.

Thanks

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Block outgoing port 25 for all but server?

Jump to solution

Exact details depend on whether you are using NAT or not. Access-list on Private side should look something like this:

Assume your mail server is 192.168.22.22

ip access-list extended inside-to-public

  permit ip host 192.168.22.22 any

  deny tcp any any eq 25

  ! Any other outbound restrictions here

  permit ip any any

Then apply this ACL to your outbound policy-class on the LAN side facing the public, something like...

ip policy-class Private

  nat source list inside-to-public interface [interface name here] overload


Of course you'll need the appropriate reciprocal port-forwarding to allow inbound mail from the public to your mail server as well. Post your existing config if this doesn't help.

View solution in original post

2 Replies
jayh
Honored Contributor
Honored Contributor

Re: Block outgoing port 25 for all but server?

Jump to solution

Exact details depend on whether you are using NAT or not. Access-list on Private side should look something like this:

Assume your mail server is 192.168.22.22

ip access-list extended inside-to-public

  permit ip host 192.168.22.22 any

  deny tcp any any eq 25

  ! Any other outbound restrictions here

  permit ip any any

Then apply this ACL to your outbound policy-class on the LAN side facing the public, something like...

ip policy-class Private

  nat source list inside-to-public interface [interface name here] overload


Of course you'll need the appropriate reciprocal port-forwarding to allow inbound mail from the public to your mail server as well. Post your existing config if this doesn't help.

Anonymous
Not applicable

Re: Block outgoing port 25 for all but server?

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

Noor