cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
telarin
New Contributor

Block port 25 from all computers except server on nat configured interface

I would like to block all outbound traffic originating from port 25 for all computers on the network except the server which is supposed to be relaying SMTP email. I expected this to be fairly easy, just add a traffic selector to the NAT policy of the Private Security zone, however, in the web interface, when I go to the "NAT list wizard-ics" policy in the Private security zone, I am not given the option to specify ports when adding additional traffic selectors. Is this one of those things that cannot be done from the web interface for some reason, or am I simply missing something in the policy configuration? This is the default NAT policy that was initially setup by the wizard.

This is a NetVanta 1335 PoE running firmware version  18.02.01.00.E

0 Kudos
1 Reply
Anonymous
Not applicable

Re: Block port 25 from all computers except server on nat configured interface

Hi telarin:

This can be done in the CLI or GUI.  The important thing to remember is that the firewall policies are processed top-down.  The CLI and GUI list policies in the order they are applied.  When traffic matches a policy, action is taken.  There is no need for the firewall to continue down the list for that particular traffic, once a match is found and action taken.  In your case, the firewall should perform the following actions in the order listed:

  1. NAT outbound valid SMTP traffic (sourced from your mail server)
  2. Block invalid SMTP traffic (not sourced from your mail server)
  3. NAT outbound all other internet traffic

Here's an example from the CLI that can be modified to fit your specific mail server address, policy-classes, etc.  Note the policy order in the Private policy-class:


!


ip access-list standard wizard-ics


  remark NAT list wizard-ics


  permit any


!


!


ip access-list extended smtp-invalid


  remark Blocked SMTP


  permit tcp any  any eq smtp   log


!


ip access-list extended smtp-valid


  remark Allowed SMTP


  permit tcp host 192.168.1.15  any eq smtp   log


!


!


ip policy-class Private


nat source list smtp-valid interface vlan 100 overload policy Public


discard list smtp-invalid


nat source list wizard-ics interface vlan 100 overload policy Public


!



Here's an example 'Allowed' ACL from the GUI:

ACL-Allowed-SMTP.PNG

And an example 'Blocked' ACL:

ACL-Blocked-SMTP.PNG

Just make sure the Allowed policy is higher in your security zone rule list than the Blocked policy, and both are higher than the general NAT overload (wizard-ICS) policy.

It's worth considering an AOS upgrade to your 1335.  That unit supports the latest maintenance release (R11.4 as of this post).  AOS 18.X is no longer eligible for support.  AOS R11.4 includes many bug fixes and enhancements and is highly recommended!

Best,

Chris