Hi,
I'm trying to restrict outbound POP3 connections (port 110) from my private network to the outside world. A few of our users keep ignoring the network security policy about not using POP3 email clients to download personal mail from the outside world. Thus, they end up downloading a ton of virus and worm laden messages and I have to rely on desktop AV software to pick them off before an infection can occur.
I set up an outbound rule on the pix to block pop3 access, but it didn't work and it looks like the default outbound rule is overriding that. I don't want to restrict the users from anything beyond POP3. Any ideas? Here's my config:
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
access-list inside_access_in permit ip any any
access-list DMZ_access_in permit tcp host 10.0.0.2 host 172.16.0.200 eq smtp
access-list DMZ_access_in permit ip host 10.0.0.2 any
access-list outside_access_in permit tcp any host 192.12.x.x eq smtp
access-list outside_access_in permit tcp any host 192.12.x.x eq www
access-list outside_access_in permit icmp any any
pager lines 24
logging on
logging timestamp
logging trap notifications
logging host inside 172.16.0.159
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 192.12.x.x 255.255.255.0
ip address inside 172.16.0.1 255.255.0.0
ip address DMZ 10.0.0.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.12.x.x
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
nat (inside) 1 172.16.0.0 255.255.0.0 dns 0 0
static (DMZ,outside) 192.12.x.x 10.0.0.2 netmask 255.255.255.255 0 0
static (inside,DMZ) 172.16.0.200 172.16.0.200 netmask 255.255.255.255 0 0
static (inside,outside) 192.12.x.x 172.16.0.200 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.12.x.x 1
I'm trying to restrict outbound POP3 connections (port 110) from my private network to the outside world. A few of our users keep ignoring the network security policy about not using POP3 email clients to download personal mail from the outside world. Thus, they end up downloading a ton of virus and worm laden messages and I have to rely on desktop AV software to pick them off before an infection can occur.
I set up an outbound rule on the pix to block pop3 access, but it didn't work and it looks like the default outbound rule is overriding that. I don't want to restrict the users from anything beyond POP3. Any ideas? Here's my config:
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
no names
access-list inside_access_in permit ip any any
access-list DMZ_access_in permit tcp host 10.0.0.2 host 172.16.0.200 eq smtp
access-list DMZ_access_in permit ip host 10.0.0.2 any
access-list outside_access_in permit tcp any host 192.12.x.x eq smtp
access-list outside_access_in permit tcp any host 192.12.x.x eq www
access-list outside_access_in permit icmp any any
pager lines 24
logging on
logging timestamp
logging trap notifications
logging host inside 172.16.0.159
icmp permit any unreachable outside
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 192.12.x.x 255.255.255.0
ip address inside 172.16.0.1 255.255.0.0
ip address DMZ 10.0.0.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 192.12.x.x
nat (inside) 1 172.16.1.0 255.255.255.0 0 0
nat (inside) 1 172.16.0.0 255.255.0.0 dns 0 0
static (DMZ,outside) 192.12.x.x 10.0.0.2 netmask 255.255.255.255 0 0
static (inside,DMZ) 172.16.0.200 172.16.0.200 netmask 255.255.255.255 0 0
static (inside,outside) 192.12.x.x 172.16.0.200 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.12.x.x 1
