davidiwharper
asked on
Cisco router blocks SMTP traffic with "pass" firewall action
I've got a problem on a client's router regarding SMTP. The router is causing some SMTP transmissions to time out, and so I've changed the "inspect" option in the firewall to simply "pass".
However, having made the change in Cisco Config Pro, obviously something has gone wrong because now SMTP traffic simply fails in both directions (external > router > server and server > router > external). This means that something in the configuration is amiss - what is it??? I've examined the config myself but can't see what is going wrong.
Thanks!
David
Cisco-Config-Broken.txt
However, having made the change in Cisco Config Pro, obviously something has gone wrong because now SMTP traffic simply fails in both directions (external > router > server and server > router > external). This means that something in the configuration is amiss - what is it??? I've examined the config myself but can't see what is going wrong.
Thanks!
David
Cisco-Config-Broken.txt
ASKER
sh run output is attached to the original question, as are the access lists.
Cheers
David
Cheers
David
ASKER
Here is the output from show ip access-lists:
The email server is 192.168.10.3.
Standard IP access list 1
10 permit 192.168.10.0, wildcard bits 0.0.0.255
Standard IP access list 2
10 permit 192.168.10.0, wildcard bits 0.0.0.255
20 deny any
Extended IP access list 100
10 permit ip host 255.255.255.255 any
20 permit ip 127.0.0.0 0.255.255.255 any
Extended IP access list 101
10 permit ip any host 192.168.10.5 (6562 matches)
Extended IP access list 102
10 permit ip any host 192.168.10.3 (964 matches)
Extended IP access list 103
10 permit ip any host 192.168.10.5 (6076 matches)
Extended IP access list 104
10 permit ip any host 192.168.10.5 (4829 matches)
Extended IP access list 105
10 permit ip 192.168.10.0 0.0.0.255 any
Extended IP access list 106
10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 (883847 matches)
Extended IP access list 107
10 permit ip host 120.146.150.204 any (26 matches)
Extended IP access list 108
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Extended IP access list 109
10 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 (445386 matches)
20 permit ip 192.168.10.0 0.0.0.255 any (163259 matches)
Extended IP access list 110
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Extended IP access list 111
10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Extended IP access list SDM_AH
10 permit ahp any any
Extended IP access list SDM_ESP
10 permit esp any any
Extended IP access list SDM_IP
10 permit ip any any (5392 matches)
The email server is 192.168.10.3.
It is inspect that breaks EHLO and STARTTLS
ASKER
Thanks for your comment, but I'm afraid I don't understand it. "inspect" for SMTP mostly works, but "pass" stops everything. Do you mean that other categories of traffic also must be set to "pass", or are you explaining why "inspect" causes some inbound emails to time out?
inspect causes lots of timeouts. only sending postfix works around it, and no other mail software.
ASKER
Ok. So this is why I changed to pass. But now no mail flows at all. I've done something wrong but can't see what.
Useful commands might be:
"no ip inspect smtp"
"no ip inspect smtp"
"show ip inspect"
"no ip inspect smtp"
"no ip inspect smtp"
"show ip inspect"
ASKER
The config is much more complex than that unfortunately - see the attachment to the initial question.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, done something like that. Mail flows out but (I assume due to the fact that traffic not matching the out-to-in rule is dropped) doesn't flow in.
What now?
Cisco-Config-Broken-Again.txt
What now?
Cisco-Config-Broken-Again.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your comment.
Isn't that what this is:
If that's insufficient, what sort of access list config would I need to create?
Isn't that what this is:
ip nat inside source static tcp 192.168.10.3 25 interface Dialer0 25
If that's insufficient, what sort of access list config would I need to create?
No, that's forwarding tcp port 25.
sh run | i access-list
sh run | i access-list
ASKER
Thanks for that bit of clarification.
As you may have seen from the config I posted, the access lists are not directly applied to interfaces. Rather, the work is done through policy and class maps.
I assume what we need therefore is a separate policy to allow for direct SMTP inward flow? As you may have also seen earlier in this question, when I simply changed the preconfigured policy to switch "inspect" for "pass" traffic stopped altogether.
Anyway, I'll post the command output momentarily,
As you may have seen from the config I posted, the access lists are not directly applied to interfaces. Rather, the work is done through policy and class maps.
I assume what we need therefore is a separate policy to allow for direct SMTP inward flow? As you may have also seen earlier in this question, when I simply changed the preconfigured policy to switch "inspect" for "pass" traffic stopped altogether.
Anyway, I'll post the command output momentarily,
ASKER
ip access-list extended SDM_AH
ip access-list extended SDM_ESP
ip access-list extended SDM_IP
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.10.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.10.5
access-list 105 remark CCP_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 107 remark CCP_ACL Category=128
access-list 107 permit ip host 120.146.150.204 any
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 remark CCP_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 109 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
This matches what is in the full config posted earlier, FYI
What is the output of:
sh run | i inspect
(copy and paste that to preserve case and spaces)
sh run | i inspect
(copy and paste that to preserve case and spaces)
ASKER
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
class-map type inspect match-all sdm-nat-user-protocol--1-1
class-map type inspect match-any SDM_AH
class-map type inspect match-any SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
class-map type inspect match-all SDM_VPN_PT
class-map type inspect match-any ccp-cls-insp-traffic
class-map type inspect match-all ccp-insp-traffic
class-map type inspect match-any SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
class-map type inspect match-any ccp-cls-icmp-access
class-map type inspect match-all ccp-icmp-access
class-map type inspect match-all ccp-invalid-src
class-map type inspect match-all sdm-nat-https-1
class-map type inspect match-all ccp-protocol-http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
class type inspect SDM_EASY_VPN_SERVER_PT
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
service-policy type inspect ccp-permit-icmpreply
service-policy type inspect sdm-pol-NATOutsideToInside-1
service-policy type inspect ccp-inspect
service-policy type inspect ccp-permit
service-policy type inspect sdm-permit-ip
service-policy type inspect sdm-permit-ip
service-policy type inspect sdm-permit-ip
service-policy type inspect sdm-permit-ip
Without knowing what all of these objects are: are you inspecting smtp or esmtp?
ASKER
SMTP. But the current rules don't account for that. You should really look at the original config at the beginning of the question to see the history of this issue.
The outline is that inspecting SMTP works mostly but breaks TLS connections. Removing all SMTP rules allows outbound but not inbound. So we now need a "pass" only rule for inbound SMTP. When I simply changed "inspect" to "pass" on the original config, SMTP traffic stopped in both directions.
The outline is that inspecting SMTP works mostly but breaks TLS connections. Removing all SMTP rules allows outbound but not inbound. So we now need a "pass" only rule for inbound SMTP. When I simply changed "inspect" to "pass" on the original config, SMTP traffic stopped in both directions.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No such luck. The commands 'class class-default' fails outright, and the zone pair commands say that INSIDE and OUTSIDE do not exist. When I replace with "in-zone" and "out-zone" as per the available zones, the following message shows:
service-policy type inspect commands also fail to apply.
The router is now running IOS 15.3 FYI
% Already zone-pair ccp-zp-in-out exists for the specified source and destination zones
service-policy type inspect commands also fail to apply.
The router is now running IOS 15.3 FYI
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This problem was solved by Cisco support, and is likely caused by a bug in IOS.
However, I will award the points for this thread to gheist, Jan Springer and Network Zero for bravely assisting with this problem along the way. I really appreciate your support.
However, I will award the points for this thread to gheist, Jan Springer and Network Zero for bravely assisting with this problem along the way. I really appreciate your support.
- Can you share with us your sh run output?