Cisco router blocks SMTP traffic with "pass" firewall action

I've got a problem on a client's router regarding SMTP. The router is causing some SMTP transmissions to time out, and so I've changed the "inspect" option in the firewall to simply "pass".

However, having made the change in Cisco Config Pro, obviously something has gone wrong because now SMTP traffic simply fails in both directions (external >  router > server and server > router > external). This means that something in the configuration is amiss - what is it??? I've examined the config myself but can't see what is going wrong.

Thanks!
David
Cisco-Config-Broken.txt
davidiwharperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soufiane Adil, Ph.DIT, Network Architect - CCNP/CCDPCommented:
- Can you check if there is any access-list is stopping 25 port ?
- Can you share with us your sh run output?
0
davidiwharperAuthor Commented:
sh run output is attached to the original question, as are the access lists.

Cheers
David
0
davidiwharperAuthor Commented:
Here is the output from show ip access-lists:

Standard IP access list 1
    10 permit 192.168.10.0, wildcard bits 0.0.0.255
Standard IP access list 2
    10 permit 192.168.10.0, wildcard bits 0.0.0.255
    20 deny   any
Extended IP access list 100
    10 permit ip host 255.255.255.255 any
    20 permit ip 127.0.0.0 0.255.255.255 any
Extended IP access list 101
    10 permit ip any host 192.168.10.5 (6562 matches)
Extended IP access list 102
    10 permit ip any host 192.168.10.3 (964 matches)
Extended IP access list 103
    10 permit ip any host 192.168.10.5 (6076 matches)
Extended IP access list 104
    10 permit ip any host 192.168.10.5 (4829 matches)
Extended IP access list 105
    10 permit ip 192.168.10.0 0.0.0.255 any
Extended IP access list 106
    10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 (883847 matches)
Extended IP access list 107
    10 permit ip host 120.146.150.204 any (26 matches)
Extended IP access list 108
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Extended IP access list 109
    10 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 (445386 matches)
    20 permit ip 192.168.10.0 0.0.0.255 any (163259 matches)
Extended IP access list 110
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Extended IP access list 111
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Extended IP access list SDM_AH
    10 permit ahp any any
Extended IP access list SDM_ESP
    10 permit esp any any
Extended IP access list SDM_IP
    10 permit ip any any (5392 matches)

Open in new window


The email server is 192.168.10.3.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

gheistCommented:
It is inspect that breaks EHLO and STARTTLS
0
davidiwharperAuthor Commented:
Thanks for your comment, but I'm afraid I don't understand it. "inspect" for SMTP mostly works, but "pass" stops everything. Do you mean that other categories of traffic also must be set to "pass", or are you explaining why "inspect" causes some inbound emails to time out?
0
gheistCommented:
inspect causes lots of timeouts. only sending postfix works around it, and no other mail software.
0
davidiwharperAuthor Commented:
Ok. So this is why I changed to pass. But now no mail flows at all. I've done something wrong but can't see what.
0
gheistCommented:
Useful commands might be:
"no ip inspect smtp"
"no ip inspect smtp"
"show ip inspect"
0
davidiwharperAuthor Commented:
The config is much more complex than that unfortunately - see the attachment to the initial question.
0
gheistCommented:
Does it work with SMTP inspect disabled or not? Yes, i see it in 5 places in your config.
0
davidiwharperAuthor Commented:
Ok, done something like that. Mail flows out but (I assume due to the fact that traffic not matching the out-to-in rule is dropped) doesn't flow in.

What now?
Cisco-Config-Broken-Again.txt
0
Jan SpringerCommented:
I don't see an access-list for the outside interface allowing tcp port 25 traffic in.
0
davidiwharperAuthor Commented:
Thanks for your comment.

Isn't that what this is:

ip nat inside source static tcp 192.168.10.3 25 interface Dialer0 25

Open in new window


If that's insufficient, what sort of access list config would I need to create?
0
Jan SpringerCommented:
No, that's forwarding tcp port 25.  

sh run | i access-list
0
davidiwharperAuthor Commented:
Thanks for that bit of clarification.

As you may have seen from the config I posted, the access lists are not directly applied to interfaces. Rather, the work is done through policy and class maps.

I assume what we need therefore is a separate policy to allow for direct SMTP inward flow? As you may have also seen earlier in this question, when I simply changed the preconfigured policy to switch "inspect" for "pass" traffic stopped altogether.

Anyway, I'll post the command output momentarily,
0
davidiwharperAuthor Commented:
ip access-list extended SDM_AH
ip access-list extended SDM_ESP
ip access-list extended SDM_IP
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.10.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.10.5
access-list 105 remark CCP_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 107 remark CCP_ACL Category=128
access-list 107 permit ip host 120.146.150.204 any
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 remark CCP_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 109 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Open in new window


This matches what is in the full config posted earlier, FYI
0
Jan SpringerCommented:
What is the output of:

sh run | i inspect

(copy and paste that to preserve case and spaces)
0
davidiwharperAuthor Commented:
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
class-map type inspect match-all sdm-nat-user-protocol--1-1
class-map type inspect match-any SDM_AH
class-map type inspect match-any SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
class-map type inspect match-all SDM_VPN_PT
class-map type inspect match-any ccp-cls-insp-traffic
class-map type inspect match-all ccp-insp-traffic
class-map type inspect match-any SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
class-map type inspect match-any ccp-cls-icmp-access
class-map type inspect match-all ccp-icmp-access
class-map type inspect match-all ccp-invalid-src
class-map type inspect match-all sdm-nat-https-1
class-map type inspect match-all ccp-protocol-http
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
 class type inspect SDM_EASY_VPN_SERVER_PT
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
 service-policy type inspect ccp-permit-icmpreply
 service-policy type inspect sdm-pol-NATOutsideToInside-1
 service-policy type inspect ccp-inspect
 service-policy type inspect ccp-permit
 service-policy type inspect sdm-permit-ip
 service-policy type inspect sdm-permit-ip
 service-policy type inspect sdm-permit-ip
 service-policy type inspect sdm-permit-ip

Open in new window

0
Jan SpringerCommented:
Without knowing what all of these objects are:  are you inspecting smtp or esmtp?
0
davidiwharperAuthor Commented:
SMTP. But the current rules don't account for that. You should really look at the original config at the beginning of the question to see the history of this issue.

The outline is that inspecting SMTP works mostly but breaks TLS connections. Removing all SMTP rules allows outbound but not inbound. So we now need a "pass" only rule for inbound SMTP. When I simply changed "inspect" to "pass" on the original config, SMTP traffic stopped in both directions.
0
Network ZeroCloud Engineer Commented:
Try this:

class-map type inspect match-any CLASS_MAP_IN_TO_OUT
match protocol smtp

policy-map type inspect POLICY_MAP_IN_TO_OUT
policy-map type inspect POLICY_MAP_OUT_TO_IN
class type inspect CLASS_MAP_IN_TO_OUT
class type inspect CLASS_MAP_OUT_TO_IN

class class-default
pass

zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
zone-pair security ZONE_PAIR_IN_TO_OUT source OUTSIDE destination INSIDE

service-policy type inspect POLICY_MAP_IN_TO_OUT
service-policy type inspect POLICY_MAP_OUT_TO_IN
0
davidiwharperAuthor Commented:
No such luck. The commands 'class class-default' fails outright, and the zone pair commands say that INSIDE and OUTSIDE do not exist. When I replace with "in-zone" and "out-zone" as per the available zones, the following message shows:


% Already zone-pair ccp-zp-in-out exists for the specified source and destination zones

service-policy type inspect commands also fail to apply.

The router is now running IOS 15.3 FYI
0
davidiwharperAuthor Commented:
The final answer! From Cisco support:


SMTP inspection is not working. Let’s inspect not in layer 7 but only layer 4.

class-map type inspect match-all sdm-nat-smtp-1
match access-group 104
no match protocol smtp
!
class-map type inspect match-all ccp-protocol-smtp
no match protocol smtp
match access-group 104

Open in new window


This feels awfully like a bug in IOS rather than a configuration issue. The first action suggested by Cisco was to simply change "inspect" to "pass" like I did right back at the beginning of this thread.

For reference, the platform is the Cisco 800 series with IOS 15.x.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davidiwharperAuthor Commented:
This problem was solved by Cisco support, and is likely caused by a bug in IOS.

However, I will award the points for this thread to gheist, Jan Springer and Network Zero for bravely assisting with this problem along the way. I really appreciate your support.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.