I had the direction incorrect! Thanks for the help folks, Relay only by exemption on the mail servers, though.
From: Patrick Salmon [mailto:[email protected]] Sent: Tuesday, January 08, 2013 11:21 AM To: NT System Admin Issues Subject: Re: Cisco ASA question Looks right to me, both in sequence and content [1]. - You're allowing SMTP from specific host(s). Correct. Not so much a 'best practice' <ptooey> as a must-do. - Next, you're denying SMTP from anything else. Also correct. - Implied, but must exist, is the Deny Any Any at the end. You'd be surprised how many people forget that. An aside: this is a great forum with an abundance of expertise in many areas. That said, a google search on Cisco Forums / Cisco Community / Cisco support forum will give you a much more focused target audience. Not that you won't get great answers here, as you will. Pat [1]. CCNP. Also, full disclosure and disclaimer: I am an employee of Cisco Systems. Opinions expressed, however, are mine alone and not that of Cisco. On Tue, Jan 8, 2013 at 10:54 AM, Tom Miller <[email protected]<mailto:[email protected]>> wrote: Hi Folks, At a new job here. I have a few Cisco ASA. One of them, an ASA 5510, seems to be not very strict on outbound rules. I'm new to ASA (came from the Fortinet world), so any advice on setting up outbound rules? In particular we've been on spamhaus and I think there is an internal machine sending out smtp messages. Short term solution would be to restrict out smtp to our mail servers only. On the ASA | Configuration | Access Rules, I created an inside --> outside rule. Traffic from mail server out, smtp, permit. Other rule has traffic as deny. This does not seem correct, even me being new to ASA. Suggestions appreciated, Tom ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
