Pix Firewall - Anyone know a little?

[flashlightlens]

My boss just got fired, which leaves me as the underpaid network engineer. I need to make some changes on my PIX Firewall to limit SMTP access to certain IP addresses from Sprint. I've got it down to the fact that I need to change one of my "conduit" lines in the config to reflect the limites IP's. The current line reads:
conduit permit tcp host mailserver eq smtp any

Do I just add the IP's where "any" is now? The programming manual mentions needing the global_mask - is this really needed? Can I just make the line look like this:
conduit permit tcp host grpwise eq smtp 172.16.1.0 172.16.1.1 172.16.1.2 172.16.1.3 172.16.1.4 172.16.1.5

?????.......

Anyone?.......Bueller.........

 

[Short Circuit]

What is the version of the PIX OS, and model of the PIX Box.
I manage our Cisco PIX for over 1000 users.

I may be able to help you, but need the above information.

 

[flashlightlens]

It's a 520 - version 4.4

 

[wasabe64]

Hi,

First I'd recommend that you communicate in a more private fashion, no need to expose fragments of your security config to everyone and anyone.

I'll PM you with some info as soon as I can.

Regards

 

[flashlightlens]

I got a little more info - just need to verify it.

I am being told I need to issue a no command to get rid of the existing conduit line:
no conduit permit tcp host mailserver eq smtp any
and then I type in the new one like I have above with all the IP's in place instead of the "any"
conduit permit tcp host grpwise eq smtp 172.16.1.0 172.16.1.1 172.16.1.2 172.16.1.3 172.16.1.4 172.16.1.5

All the IP's are now fake, so no security risk anymore.

 

[Seabass]

Yes but now we know you use Cisco Pix 520 running version 4.4

/ubbthreads/images/graemlins/naughty.gif

 

[flashlightlens]

[ QUOTE ]
Seabass said:
Yes but now we know you use Cisco Pix 520 running version 4.4


[/ QUOTE ]

...and I've got one person on my list of suspects if there happens to be breach in my system. I'll tell the cops that a guy named Seabass did it. Besides, who says I'm still at 4.4 anyway.... /ubbthreads/images/graemlins/grin.gif

Name one of my public IP's for my firewall where I work and I'll send you a free lens of your choice.

Anyway - Apparently you can't just put all the IP's in one conduit line. The only way I got it to take was to create a separate conduit line for each IP address. Also, I guess you need to put the netmask along with each IP - unless it's a host IP.

The part that really sucks is that if I limit all the SMTP traffic inbound to certain mail servers, then all my external Outlook clients who use a POP3 connection aren't able to send email through the SMTP server.

 

[wasabe64]

Yep,

The conduit commmand is meant for one-off of either very broad (subnet) or very narrow (host) exceptions.

The conduit command is associated with a static route to your mail servers. Instead of using a conduit entry, the route can instead be associated with an ACL.


[/ QUOTE ]
Quote

The part that really sucks is that if I limit all the SMTP traffic inbound to certain mail servers, then all my external Outlook clients who use a POP3 connection aren't able to send email through the SMTP server.

[/ QUOTE ]

In your statement, will they only be blocked from sending email or accessing email at all?

If the PIX is only blocking the relaying of outbound messages from your POP3 clients, there is a workaround in Outlook, where you set up the user's ISP-provided mail service to send your mail instead.

 

[flashlightlens]

They can still download their messages from our server. They couldn't send them. The problem with using the ISP's SMTP is that all our field personnel dial-up through our Qwest accounts. These accounts don't have any email services available to them. I'm sure Sprint would be happy to let our clients use their SMTP to send mail - but at what $$$$????

 

[wasabe64]

Might be worth a call, this is a common problem since most ISP's do not allow SMTP to traverse their own routers unless the source is their own mail servers.

From a Business and Security perspective, you don't want to be configuring your firewall every couple of weeks because you are continually altering conduit entries as your subnet changes or your client base grows. (another strength in using ACL's)

All you would need is one or two e-mail accounts (configure all of your remote users to use the same account to send out mail).

If that doesn't fly, then consider setting up ACL's.

Hope this helps,
Raymond

 

[John N]

Note that allowing clients to read mail externally is a pretty big security issue - it not only provides a potential for people to probe your account information, but possibly exploit bugs in your mail server(s). Edit: It typically also means that your user accounts with passwords are flying around the Interenet in plain text...

It would be better to set up a VPN server and make the external clients VPN in before they can get any internal services.

It isn't clear if you are suggesting you only want to allow SMTP from the Sprint mail servers or your remote clients from your post. If the latter, at least create another rule to only allow POP/IMAP from those clients.

-john

 

[flashlightlens]

John - We've actually got a managed VPN with Qwest. Trying to teach 40 or 50 RSM's how to use it might be a trick. They have enough trouble just finding the "Start" button sometimes....

I've thought about the VPN thing - That way, I could restrict my inbound SMTP to Sprint the way I want and the external clients could just send as if it were an internal IP. We've got it, we are really paying for it, so why not use it, right? We're actually starting to send a bunch of people to work from home pretty soon, and they'll HAVE to use the VPN, so why not start getting more familiar with it.

Which reminds me - if anyone knows why a Nortel Contivity isn't allowing me to get VPN access to Novell file servers, let me know....

I also thought about seeing if Qwest could give me a block of IP's that their dial-up users pick up, but they couldn't. If they did, I could at least tighten the inbound to a smaller range of possibilities.

I like the VPN thing though.... I think I'll run that by a few others tomorrow and see what they think.

 

[Seabass]

Damn, now you've piqued my curiosity! I may actually have some work to do at work tomorrow.

/ubbthreads/images/graemlins/evilgrin07.gif

[ QUOTE ]
flashlightlens.com said:

Name one of my public IP's for my firewall where I work and I'll send you a free lens of your choice.


[/ QUOTE ]