?
Solved

Cisco router blocks SMTP traffic with "pass" firewall action

Posted on 2014-08-31
27
Medium Priority
?
596 Views
Last Modified: 2015-03-03
I've got a problem on a client's router regarding SMTP. The router is causing some SMTP transmissions to time out, and so I've changed the "inspect" option in the firewall to simply "pass".

However, having made the change in Cisco Config Pro, obviously something has gone wrong because now SMTP traffic simply fails in both directions (external >  router > server and server > router > external). This means that something in the configuration is amiss - what is it??? I've examined the config myself but can't see what is going wrong.

Thanks!
David
Cisco-Config-Broken.txt
0
Comment
Question by:davidiwharper
  • 14
  • 4
  • 4
  • +2
24 Comments
 
LVL 3

Expert Comment

by:Soufiane Adil, Ph.D
ID: 40295562
- Can you check if there is any access-list is stopping 25 port ?
- Can you share with us your sh run output?
0
 

Author Comment

by:davidiwharper
ID: 40300265
sh run output is attached to the original question, as are the access lists.

Cheers
David
0
 

Author Comment

by:davidiwharper
ID: 40300463
Here is the output from show ip access-lists:

Standard IP access list 1
    10 permit 192.168.10.0, wildcard bits 0.0.0.255
Standard IP access list 2
    10 permit 192.168.10.0, wildcard bits 0.0.0.255
    20 deny   any
Extended IP access list 100
    10 permit ip host 255.255.255.255 any
    20 permit ip 127.0.0.0 0.255.255.255 any
Extended IP access list 101
    10 permit ip any host 192.168.10.5 (6562 matches)
Extended IP access list 102
    10 permit ip any host 192.168.10.3 (964 matches)
Extended IP access list 103
    10 permit ip any host 192.168.10.5 (6076 matches)
Extended IP access list 104
    10 permit ip any host 192.168.10.5 (4829 matches)
Extended IP access list 105
    10 permit ip 192.168.10.0 0.0.0.255 any
Extended IP access list 106
    10 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 (883847 matches)
Extended IP access list 107
    10 permit ip host 120.146.150.204 any (26 matches)
Extended IP access list 108
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Extended IP access list 109
    10 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 (445386 matches)
    20 permit ip 192.168.10.0 0.0.0.255 any (163259 matches)
Extended IP access list 110
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Extended IP access list 111
    10 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
Extended IP access list SDM_AH
    10 permit ahp any any
Extended IP access list SDM_ESP
    10 permit esp any any
Extended IP access list SDM_IP
    10 permit ip any any (5392 matches)

Open in new window


The email server is 192.168.10.3.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 62

Expert Comment

by:gheist
ID: 40314188
It is inspect that breaks EHLO and STARTTLS
0
 

Author Comment

by:davidiwharper
ID: 40314321
Thanks for your comment, but I'm afraid I don't understand it. "inspect" for SMTP mostly works, but "pass" stops everything. Do you mean that other categories of traffic also must be set to "pass", or are you explaining why "inspect" causes some inbound emails to time out?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40314364
inspect causes lots of timeouts. only sending postfix works around it, and no other mail software.
0
 

Author Comment

by:davidiwharper
ID: 40316121
Ok. So this is why I changed to pass. But now no mail flows at all. I've done something wrong but can't see what.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40316236
Useful commands might be:
"no ip inspect smtp"
"no ip inspect smtp"
"show ip inspect"
0
 

Author Comment

by:davidiwharper
ID: 40316303
The config is much more complex than that unfortunately - see the attachment to the initial question.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 600 total points
ID: 40316308
Does it work with SMTP inspect disabled or not? Yes, i see it in 5 places in your config.
0
 

Author Comment

by:davidiwharper
ID: 40321781
Ok, done something like that. Mail flows out but (I assume due to the fact that traffic not matching the out-to-in rule is dropped) doesn't flow in.

What now?
Cisco-Config-Broken-Again.txt
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 600 total points
ID: 40455365
I don't see an access-list for the outside interface allowing tcp port 25 traffic in.
0
 

Author Comment

by:davidiwharper
ID: 40459022
Thanks for your comment.

Isn't that what this is:

ip nat inside source static tcp 192.168.10.3 25 interface Dialer0 25

Open in new window


If that's insufficient, what sort of access list config would I need to create?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40459431
No, that's forwarding tcp port 25.  

sh run | i access-list
0
 

Author Comment

by:davidiwharper
ID: 40466301
Thanks for that bit of clarification.

As you may have seen from the config I posted, the access lists are not directly applied to interfaces. Rather, the work is done through policy and class maps.

I assume what we need therefore is a separate policy to allow for direct SMTP inward flow? As you may have also seen earlier in this question, when I simply changed the preconfigured policy to switch "inspect" for "pass" traffic stopped altogether.

Anyway, I'll post the command output momentarily,
0
 

Author Comment

by:davidiwharper
ID: 40466305
ip access-list extended SDM_AH
ip access-list extended SDM_ESP
ip access-list extended SDM_IP
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.10.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.10.5
access-list 105 remark CCP_ACL Category=4
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 107 remark CCP_ACL Category=128
access-list 107 permit ip host 120.146.150.204 any
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 remark CCP_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 109 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

Open in new window


This matches what is in the full config posted earlier, FYI
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40479135
What is the output of:

sh run | i inspect

(copy and paste that to preserve case and spaces)
0
 

Author Comment

by:davidiwharper
ID: 40479860
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
class-map type inspect match-all sdm-nat-user-protocol--1-1
class-map type inspect match-any SDM_AH
class-map type inspect match-any SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
class-map type inspect match-all SDM_VPN_PT
class-map type inspect match-any ccp-cls-insp-traffic
class-map type inspect match-all ccp-insp-traffic
class-map type inspect match-any SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
class-map type inspect match-any ccp-cls-icmp-access
class-map type inspect match-all ccp-icmp-access
class-map type inspect match-all ccp-invalid-src
class-map type inspect match-all sdm-nat-https-1
class-map type inspect match-all ccp-protocol-http
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
 class type inspect SDM_EASY_VPN_SERVER_PT
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
 service-policy type inspect ccp-permit-icmpreply
 service-policy type inspect sdm-pol-NATOutsideToInside-1
 service-policy type inspect ccp-inspect
 service-policy type inspect ccp-permit
 service-policy type inspect sdm-permit-ip
 service-policy type inspect sdm-permit-ip
 service-policy type inspect sdm-permit-ip
 service-policy type inspect sdm-permit-ip

Open in new window

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40479979
Without knowing what all of these objects are:  are you inspecting smtp or esmtp?
0
 

Author Comment

by:davidiwharper
ID: 40482759
SMTP. But the current rules don't account for that. You should really look at the original config at the beginning of the question to see the history of this issue.

The outline is that inspecting SMTP works mostly but breaks TLS connections. Removing all SMTP rules allows outbound but not inbound. So we now need a "pass" only rule for inbound SMTP. When I simply changed "inspect" to "pass" on the original config, SMTP traffic stopped in both directions.
0
 
LVL 7

Assisted Solution

by:Network Zero
Network Zero earned 300 total points
ID: 40485144
Try this:

class-map type inspect match-any CLASS_MAP_IN_TO_OUT
match protocol smtp

policy-map type inspect POLICY_MAP_IN_TO_OUT
policy-map type inspect POLICY_MAP_OUT_TO_IN
class type inspect CLASS_MAP_IN_TO_OUT
class type inspect CLASS_MAP_OUT_TO_IN

class class-default
pass

zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
zone-pair security ZONE_PAIR_IN_TO_OUT source OUTSIDE destination INSIDE

service-policy type inspect POLICY_MAP_IN_TO_OUT
service-policy type inspect POLICY_MAP_OUT_TO_IN
0
 

Author Comment

by:davidiwharper
ID: 40618004
No such luck. The commands 'class class-default' fails outright, and the zone pair commands say that INSIDE and OUTSIDE do not exist. When I replace with "in-zone" and "out-zone" as per the available zones, the following message shows:


% Already zone-pair ccp-zp-in-out exists for the specified source and destination zones

service-policy type inspect commands also fail to apply.

The router is now running IOS 15.3 FYI
0
 

Accepted Solution

by:
davidiwharper earned 0 total points
ID: 40623375
The final answer! From Cisco support:


SMTP inspection is not working. Let’s inspect not in layer 7 but only layer 4.

class-map type inspect match-all sdm-nat-smtp-1
match access-group 104
no match protocol smtp
!
class-map type inspect match-all ccp-protocol-smtp
no match protocol smtp
match access-group 104

Open in new window


This feels awfully like a bug in IOS rather than a configuration issue. The first action suggested by Cisco was to simply change "inspect" to "pass" like I did right back at the beginning of this thread.

For reference, the platform is the Cisco 800 series with IOS 15.x.
0
 

Author Closing Comment

by:davidiwharper
ID: 40641449
This problem was solved by Cisco support, and is likely caused by a bug in IOS.

However, I will award the points for this thread to gheist, Jan Springer and Network Zero for bravely assisting with this problem along the way. I really appreciate your support.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question