Re: Exchange Mail Access through Zone Based Firewall with S2S VP

mariov652 · ‎05-23-2011

Hello experts,

I have (I think) a relatively simple internet and site-to-site VPN configuration in place. The config is meant to be very secure with only individual certain IP's, protocols etc.allowed through. I don't mind using the same firewall rules for the internet access as well as the site-to-site.

Basically, standard internet access is NAT'd and sent through fa4 (ISP assigned DHCP Address), while the site-to-site is setup to use virtual-ppp1 (ISP assigned static IP).

I need to add access to an exchange server on the other side of the site-to-site tunnel. It works fine when removing the firewall from the interfaces, but I'm stuck when needing to add the mail rule to the existing configuration. I hope someone might be able to look at the existing config below and recommend the correct way allow the Mail access...

Existing configuration:

{....truncated}

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address x.x.x.x
crypto isakmp nat keepalive 10

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.x
set peer x.x.x.x
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 100

class-map type inspect match-any inside-outside-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ntp
match access-group 111
class-map type inspect match-any outside-self-traffic
match access-group 110

policy-map type inspect inside-outside-policy
class type inspect inside-outside-traffic
inspect
class class-default
drop
policy-map type inspect outside-self-policy
class type inspect outside-self-traffic
pass
class class-default
drop

zone security inside
zone security outside
zone-pair security inside-outside-pair source inside destination outside
service-policy type inspect inside-outside-policy
zone-pair security outside-self-pair source outside destination self
service-policy type inspect outside-self-policy

interface FastEthernet4
description $ETH-WAN$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security outside

interface Virtual-PPP1
description L2TP dialer to ISP
ip address negotiated {static}
zone-member security outside
......

crypto map SDM_CMAP_1

interface Vlan1
ip address x.x.x.x
ip nat inside
zone-member security inside

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

access-list 100 remark IPSec Rule
access-list 100 permit ip x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.255

access-list 101 remark NAT-RULES
access-list 101 deny ip x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.255
access-list 101 permit ip x.x.x.x 0.0.0.255 any

access-list 110 remark ACL_Outside_to_Self
access-list 110 permit udp host x.x.x.x any eq ntp
access-list 110 permit udp host x.x.x.x any eq ntp
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootps
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootpc
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq 1701
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootps
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootpc
access-list 110 permit udp host x.x.x.x any eq isakmp

access-list 111 remark ACL_Inside_to_Outside
access-list 111 permit udp x.x.x.x 0.0.0.255 any eq isakmp
access-list 111 permit esp x.x.x.x 0.0.0.255 any
access-list 111 permit udp x.x.x.x 0.0.0.255 any eq non500-isakmp
access-list 111 permit ahp x.x.x.x 0.0.0.255 any

!
route-map SDM_RMAP_1 permit 1
match ip address 101

{....truncated}

Thanks,

Anu M Chacko · ‎05-23-2011

Hi,

You need to match port 25, for SMTP. If you are using POP3, match the protocol pop3.

class-map type inspect match-any inside-outside-traffic

match protocol smtp

match protocol pop3

Hope this helps!

Regards,

Anu

P.S. Please mark the thread as resolved if the question has been answered. Do rate helpful posts.

mariov652 · ‎05-23-2011

Thanks for the mail.

I had tried inserting the rule before already with no luck. This is the output rule tried....

class-map type inspect match-any inside-outside-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ntp
match protocol smtp
match protocol pop3
match access-group 111

I've tried to debug the traffic for the ZBF to check the reasons for the firewall dropping my packets. Unfortunately I haven't found the correct syntax. Would you know the syntax to use to output the ZBF messages?

Mario

Anu M Chacko · ‎05-23-2011

Hi Mario,

Turn on "ip inspect log drop" and then "sh log" to see the logs when traffic goes through the firewall. Please paste the output of "sh log" here.

Regards,

Anu

mariov652 · ‎05-23-2011

Great! That's the syntax I've been looking for....

Will get back once I get the correct settings.

Thanks,

mariov652 · ‎05-24-2011

If I add the access-list rules below to the config above, the connection works and mail is sent/received:

access-list 110 permit ip host 0.0.0.255

access-list 111 permit ip 0.0.0.255 host

However, this obviously allows ALL IP traffic between the exchange server and the entire local network. Should the exchange server or local network be infected with a virus, this could pass between sites without restriction.. So I would prefer to specify individual ports/protocols allowed between the two sites.

Removing the new access-list and putting the configuration back to its original, the ip inspect log produces the logs below when opening an Outlook client...

"%FW-6-LOG_SUMMARY: 3 packets were dropped from :19019 => :135 (target:class)-(inside-outside-pair:class-default)
%FW-6-DROP_PKT: Dropping msrpc session :19032 :135 on zone-pair inside-outside-pair class class-default due to DROP action found in policy-map with ip ident 0

GMT+1: %FW-6-DROP_PKT: Dropping tcp session :17370 :1220 on zone-pair inside-outside-pair class class-default due to DROP action found in policy-map with ip ident 0
GMT+1: %FW-6-DROP_PKT: Dropping tcp session :17384 :1220 on zone-pair inside-outside-pair class class-default due to DROP action found in policy-map with ip ident 0
GMT+1: %FW-6-LOG_SUMMARY: 1 packet were dropped from :17318 => :1040 (target:class)-(inside-outside-pair:class-default)
GMT+1: %FW-6-LOG_SUMMARY: 3 packets were dropped from :17370 => :1220 (target:class)-(inside-outside-pair:class-default)
GMT+1: %FW-6-LOG_SUMMARY: 3 packets were dropped from :17372 => :1165 (target:class)-(inside-outside-pair:class-default)

%FW-6-DROP_PKT: Dropping tcp session :17408 :1040 on zone-pair inside-outside-pair class class-default due to DROP action found in policy-map with ip ident 0

%FW-6-DROP_PKT: Dropping tcp session :17422 :1165 on zone-pair inside-outside-pair class class-default due to DROP action found in policy-map with ip ident 0
%FW-6-LOG_SUMMARY: 3 packets were dropped from :17408 => :1040 (target:class)-(inside-outside-pair:class-default)
%FW-6-LOG_SUMMARY: 3 packets were dropped from :17422 => :1165 (target:class)-(inside-outside-pair:class-default)"

- I don't understand why I don't see messages regarding smtp (25), pop3 (110) etc.

- This MS document indicates all the ports used by exchange servers and clients through firewalls (http://support.microsoft.com/kb/176466). It doesn't mention the ports 1020, 1040, 1165 I'm seeing above.

- Port 135 is used for RPC applications to query the port number of a service. I can allow this between sites separately.

Mario

mariov652 · ‎05-24-2011

**UPDATE**

By adding only the Access-lists below to the original configuration (in my first post), the communication works perfectly between Outlook client and Remote Exchange Server, and I'm assured the communication is only on the ports listed:

access-list 111 permit tcp 0.0.0.255 host eq 135
access-list 111 permit tcp 0.0.0.255 host eq 1220
access-list 111 permit tcp 0.0.0.255 host eq 1040
access-list 111 permit tcp 0.0.0.255 host eq 1165

I would appreciate if someone could explain *why* this is working. I don't see the expected smpt/pop3 ports in the logs.

Regards,

Mario

Exchange Mail Access through Zone Based Firewall with S2S VPN