Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1580
Views
0
Helpful
5
Replies

Zone based firewall block smtp

cemil.heyderov
Level 1
Level 1

‎05-22-2020 03:22 AM

i dear friends, i have exchange server 2016 and this server connect to internet via cisco router 2911, when users send mail with attachment these mail stay in queue exchange server.but when i turn of zone based firewall mails send normaly.help plz.how can i resolve thise problem?

Labels:
0 Helpful
5 Replies 5

cemil.heyderov
Level 1
Level 1

‎05-22-2020 03:24 AM

my config out to in on zone based firewall

Zone-pair name sdm-zp-NATOutsideToInside-1
Source-Zone out-zone Destination-Zone in-zone
service-policy sdm-pol-NATOutsideToInside-1
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat--1
inspect
class class-default
drop
class-map type inspect match-all sdm-nat--1
match access-group 101
match protocol tcp
Extended IP access list 101
10 permit tcp any host 10.10.0.9 eq smtp
20 permit tcp any host 10.10.0.9 eq 443

10.10.0.9 ip adress exchange server

0 Helpful

ppreenja
Cisco Employee
Cisco Employee
In response to cemil.heyderov

‎05-22-2020 04:32 AM

Hi Cemil,

The issue might be occurring since you have enabled SMTP inspection in your zone-based firewall as below:

class type inspect sdm-nat--1
inspect

I would request to disabled the inspection in your zone-based firewall and hopefully it will help resolve your issue.
You can refer to below article for details on inspection zone-based firewall:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-zone-pol-fw.html

I hope the above information helps.

Cheers,
Pratham
0 Helpful

cemil.heyderov
Level 1
Level 1
In response to ppreenja

‎05-22-2020 04:50 AM

Thank for link but i read.i can not understant what is incorrect on my config.because some domain i can send mail with attachment some i cannot.on my config i have not filter.and what blocked send mail

0 Helpful

cemil.heyderov
Level 1
Level 1
In response to ppreenja

‎05-30-2020 04:30 AM

i read this link thank a lot.but i cannot understant why only mails with attachment cannot go throw router some domains?

examle i can send emal with attachment xxx.com but cannot yyy.com

0 Helpful

cemil.heyderov
Level 1
Level 1
In response to cemil.heyderov

‎05-30-2020 04:51 AM

i write acl permit ip any host ip_adress_domain   and add this acl to class map. class map add to policy --pass

zone-pair source in dest out. but result is same

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents