Magdy,
If you want to prevent your internal users from accessing email accounts on
hotmail or yahoo, you could use access-lists to block outbound 110
connections to hotmail or yahoo netblocks. The problem your going to have
is that a lot of people access those mail systems using a web interface.
You can also block HTTP to hotmail or yahoo and that would solve the issue,
but only if you can live with your users not accessing the hotmail and yahoo
websites at all, not for just email.
If your trying to attempt to keep your users from accessing outside email,
the only good way to do this is to use a web filtering product such as
web-sense. There are a lot of free email systems on the Internet accessible
through a web browser, so trying to keep up with and block all of those
netblocks is probably going to be an exercise in futility. You may also
find that some free email sites are on the same server that serves a
legtimate business purpose, so blocking the server for HTTP would not be an
option.
You need something that can filter at the url level. The PIX alone cannot
do this so 3rd party products would be required.
The alternative would be to implement a policy that external email systems
are not to be used at work, have everyone sign the policy indicating they
understand what is required and that non-compliance could result in
termination, require users to authenticate and then monitor logs to see if
anyone is violating the policy. (You really should have something like this
in place already, typically called an Acceptable Use Policy or AUP)
HTH,
Kent
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Magdy H. Ibrahim
Sent: Thursday, August 16, 2001 5:47 AM
To: [EMAIL PROTECTED]
Subject: blocking PORTS ON PIX!!! [7:16275]
Dear All,
I have a question about how to block ports on PIX firewall:
my case is: I have mail server working behind PIX so I opened POP3 and SMTP
ports for this mail server.
my mail server accessed from inside and outside interfaces.
I want to limit my internal IP only to work with POP3 "using outlook express
or any mail client" from my mail server and deny any request for POP3 from
outside mail servers such as hotmail or yahoo.
can I do something like that ???
Please advice me ASAP...
here is my shortcut of my PIX conf.:
static (inside,outside) 62.21.55.68 10.0.0.21 netmask
255.255.255.255 0 0
access-group acl_in in interface inside
conduit permit icmp any any
conduit permit tcp host 62.21.55.66 eq smtp any
conduit permit tcp host 62.21.55.66 eq pop3 any
Regards,
Magdy
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16382&t=16275
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
