Solved

Cisco Router inbound acl preventing outbound smtp?

Posted on 2010-11-25
7
1,000 Views
Last Modified: 2012-05-10
Still having issues with my new cisco router setup.  Here is the scenario prior to the cisco router we were using a watchguard firewall for our network security.  After we got our cisco router I decided to set up our network properly.  This entailed creating a DMZ for our publicly available servers and video conference units.  I have attached an image comparing our old network to our new network.  

Old network vs New network
Here is our setup on the cisco router.  Basically we have two interface on the router.  GigabitEthernet0/0 (G0/0) and GigabitEthernet0/1(G0/1).  Now interface G0/0 is our public interface.  It has the following ip addreses associated with it:

x.x.x.22
x.x.x.3 - Secondary
x.x.x.4 - Secondary
x.x.x.5 - Secondary
x.x.x.23 - secondary

Now on the second interface I created two sub interfaces.  One for the LAN (VLAN ID 1) and the other for the DMZ (VLAN ID 2).  The subinterfaces are configured like so:

int g0/1.1
description LAN
ip address 10.0.0.1 255.255.255.0

int g0/1.2
description DMZ
ip address 10.0.10.1 255.255.255.248

my NAT rules are as follows:

ip nat inside source static 10.0.10.3 x.x.x.3
ip nat inside source static 10.0.10.4 x.x.x.4
ip nat inside source static 10.0.10.5 x.x.x.5
ip nat inside source static 10.0.0.10 x.x.x.22   - THIS IS SUPPOSED TO BE 10.0.0.10

ip nat pool ovrldIP x.x.x.23 x.x.x.23 netmask 255.255.255.224
ip nat inside source list 1 pool ovrldIP overload
access-list 1 permit 10.0.0.0 0.0.0.255

Just to explain I have one nat rule for a server on my lan (10.0.0.10) that when I access a public ip x.x.x.22 I want it to access the server on the lan.  However I also have nat/pat setup for the public ip x.x.x.23.  Not sure if that is bad or not.  I think it is the right thing to do but am not 100% sure.

Now finally for my question.  After some help I created this access-list:
ip access-list extended externalIN
permit ip any host x.x.x.3
permit ip any host x.x.x.4
permit ip any host x.x.x.5
permit ip any host x.x.x.23
permit tcp any host x.x.x.22 eq telnet
permit tcp any host x.x.x.22 eq ftp
permit tcp any host x.x.x.22 eq ftp-data
permit tcp any host x.x.x.22 eq 3389
permit tcp any host x.x.x.22 eq 3101
permit tcp any host x.x.x.22 eq 8083
permit tcp any host x.x.x.22 eq 4125
permit tcp any host x.x.x.22 eq 444
permit tcp any host x.x.x.22 eq 6001
permit tcp any host x.x.x.22 eq 6002
permit tcp any host x.x.x.22 eq 6004
permit tcp any host x.x.x.22 eq 443
permit tcp any host x.x.x.22 eq 389
permit tcp any host x.x.x.22 eq 636
permit udp any any eq domain
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 10000
permit tcp any any 1723
permit gre any any
permit tcp object-group SMTPFilter host x.x.x.22 eq smtp

object-group SMTPFilter
x.x.x.x /24
x.x.x.x /26
....

The object group SMTPFilter is a list of hosts and networks that act as our SPAM filter.  Therefore we can only received SMTP traffic from specific host's/network's.  Now I applied this acl like so:

int g0/0
ip access-group externalIN in

Now this worked, partially.  I was elated that I was able to received email which in the past my acl's prevented this.  However I was unable to send email strangely.  Since I was not sure why I created an ACL like the one below:

ip access-list extended externalOUT
permit ip any any

and applied it to Int g0/0 in the outbound direction.  This did not help.  What is also annoying is that I cant use vpn either.  I am wondering what is going on.  I have little experience with cisco router.  Infact this is my first time with one and I have literally only been working with it for 1.5 weeks as of now.  The ACL's are a bit hard for me to grasp.  

Currently i removed the access-group externalIN from int g0/0 and it works fine.  But now we are not protected.  So I readded the firebox until I resolve this cisco issue.  Any help with what to do would be greately appreciated.  Any idea as to why I would not be able to send email out if I applied the ACL going in?  When i removed the acl I received two system emails stating that my test emails had been delayed.  I sent two test emails after applying the acl.  Once I removed the acl I was notififed that they had been delayed for exactly the amount of time the acl was applied.

Is it possible that since I have a different IP as my PAT/NAT overload ip and then I have a static IP on the same network there is a problem there? i.e.

10.0.0.1 /24 outbound uses PAT with pub ip of x.x.x.23
10.0.0.10 has static NAT of x.x.x.22

Could this be the issue?

Any help is greatly appreciated.
0
Comment
Question by:Prolumina
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Expert Comment

by:djcapone
ID: 34214662
What systems are you having trouble sending e-mail from (IP/Subnet) and what server are you using as your SMTP server that you are having difficulty sending mail from?

What may be happening is assuming your attempting to send e-mail from 10.0.0.1/24 using the SMTP server public IP address, it may be subject to the router's access list.

Try sending the e-mail using the internal IP address as the SMTP server.  If this works successfully, add the x.x.x.23 IP address to your SMTPFilter object group.
0
 

Author Comment

by:Prolumina
ID: 34215025
My server is an SS2003 server therefore it has Exchange on it.  The server's address is 10.0.0.10 thus the static NAT entry for 10.0.0.10 -> x.x.x.22

Why do you think it would be subject to the ACL if it is outgoing?  My thought is maybe there is an issue since I have two NAT rules for the same object.  One is the static nat rule that gives the internal ip address 10.0.0.10 a public ip of x.x.x.22 the other is my nat overload that gives the 10.0.0.1 /24 subnet access to the net via the public ip x.x.x.23

What do you mean by the last part, "Try sending the e-mail using the internal UP address as the SMTP Server"?
0
 
LVL 6

Expert Comment

by:djcapone
ID: 34215153
In other words, if you are attempting to send e-mail from one of the computers on the internal subnet, lets say 10.0.0.46 and are using mail.mycompany.com as the smtp server and mail.mycompany.com resolves to x.x.x.22, this may subject the traffic to filtering.

From 10.0.0.46 set the smtp server to be 10.0.0.10 and see if the e-mail is successfully sent.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 10

Accepted Solution

by:
lanboyo earned 500 total points
ID: 34219988
You probably need to permit established. A cisco access filter is not a stateful firewall, so packets returning to the network from the external servers are denied because they now have the destination tcp port of the outbound packet tcp source port,  and are thus denied.

permit tcp any any established


Also if you stick this at the end of the access list you may be able to see what is getting nailed via log messages.

deny ip any any log
effectively this is already in place ( there is a default deny any any ) but it does not log.

Do a show log to see what is getting dropped.
0
 

Author Comment

by:Prolumina
ID: 34220935
Thanks alot that worked beautifully.  It also made it a great deal easier to troubleshoot with the log keyword at the end.

Strange thing is I am having issues with VPn still.  I think its on my server end but am not sure.  PPTP vpn on windows server's only requires GRE and 1723 to be opened right?  SOrry I know this is slightly off topic but if you happen to know the answer let me know.   I am using SBS2003 on my server.

0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34415376
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question