cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
0
Helpful
5
Replies

ZBPF SMTP Issue

johnlloyd_13
Level 9
Level 9

hi all,

we have a router using VRF and ZBF. for some reason ESMP port 587 works but not STMP port 25.

telnet abc.com. 587

220 abc.com Microsoft ESMTP MAIL Service ready at Wed, 12 Jun 2013 16:47:45 +0800

ehlo abc.com

250-abc.com Hello [192.168.10.26]

250-SIZE 10485760

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-STARTTLS

250-AUTH GSSAPI NTLM

250-8BITMIME

250-BINARYMIME

250 CHUNKING

----

$ telnet abc.com 25

Trying 203.x.x.x...

Connected to abc.com (203.x.x.x).

Escape character is '^]'.

220 A13001HSB.x.x.x Microsoft ESMTP MAIL Service ready at Thu, 13 Jun 2013 17:50:49 +0800

ehlo

500 5.3.3 Unrecognized command

i'm still reviewing the setup and maybe someone can point me where to look.

below is the ACL and will post other config if needed. TIA!

Extended IP access list ABC_IN

    10 permit tcp any 203.x.x.x 0.0.0.7 eq 3389

    20 permit tcp any 203.x.x.x 0.0.0.7 eq smtp 

    30 permit tcp any 203.x.x.x 0.0.0.7 eq 587

    40 permit tcp any 203.x.x.x 0.0.0.7 eq 993

    50 permit tcp any 203.x.x.x 0.0.0.7 eq 443

    60 permit tcp 10.130.0.0 0.0.255.255 203.x.x.x 0.0.0.7 eq 3389

    70 permit tcp 203.y.y.y 0.0.0.255 203.x.x.x 0.0.0.7 eq 3389

    80 permit tcp 203..y.y.y 0.0.0.255 203.x.x.x 0.0.0.7 eq 3389

    90 permit tcp 203..y.y.y 0.0.0.255 203.x.x.x 0.0.0.7 eq 3389

    100 permit tcp 203..y.y.y 0.0.0.255 203.x.x.x 0.0.0.7 eq 3389

    110 permit tcp host 125.z.z.z 203.x.x.x 0.0.0.7 eq www

    120 permit tcp host 125.z.z.z  203.x.x.x 0.0.0.7 eq 443

    130 permit tcp host 125.z.z.z  203.x.x.x 0.0.0.7 eq 10050

    140 permit tcp host 125.z.z.z  203.x.x.x 0.0.0.7 eq 10051

----

Extended IP access list ABC_OUT

    10 permit tcp 203.x.x.x 0.0.0.7 any eq www

    20 permit tcp 203.x.x.x 0.0.0.7 any eq 443

    30 permit tcp 203.x.x.x 0.0.0.7 any eq smtp

    40 permit tcp 203.x.x.x 0.0.0.7 any eq 587

    50 permit tcp 203.x.x.x 0.0.0.7 any eq 587

    60 permit tcp 203.x.x.x 0.0.0.7 any eq smtp

    70 permit tcp 203.x.x.x 0.0.0.7 any eq 993

    80 permit tcp 203.x.x.x 0.0.0.7 any eq 993

----

when VRF and ZBF are removed and port is assigned to public or the OUT zone, both ports works:

interface GigabitEthernet0/2

no ip vrf forwarding ABC

no zone-member security ABC

zone-member security OUT

ip address 203.x.x.x 255.255.255.248

1 Accepted Solution

Accepted Solutions

Hello,

Sure,

Remember to add the command

IP inspect log drop-pkt so u can see the packets getting dropped in the logging events, then u will know where to look.

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

What you post does not work,

I need the entire configuration so I can see the Policy-map, class-map , etc configuration,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi,

i know you'd say that. it's kinda hard to omit data on the ZBF policies.

i gotta feeling this might be an IOS issue. let me tshoot further. thanks!

Hello,

Sure,

Remember to add the command

IP inspect log drop-pkt so u can see the packets getting dropped in the logging events, then u will know where to look.

Regards,

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

hi,

this is a great command and thanks for the tip!

Hello John,

My pleasure to help,

U can then use the

show logging | include x.x.x.x (IP being used on the communication to find the cause of the issue, it will always point why this is failing, that's the greatest thing about ZBFW)

Any other question u can let me know

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: