05-23-2011 06:49 AM - edited 03-11-2019 01:37 PM
Hello experts,
I have (I think) a relatively simple internet and site-to-site VPN configuration in place. The config is meant to be very secure with only individual certain IP's, protocols etc.allowed through. I don't mind using the same firewall rules for the internet access as well as the site-to-site.
Basically, standard internet access is NAT'd and sent through fa4 (ISP assigned DHCP Address), while the site-to-site is setup to use virtual-ppp1 (ISP assigned static IP).
I need to add access to an exchange server on the other side of the site-to-site tunnel. It works fine when removing the firewall from the interfaces, but I'm stuck when needing to add the mail rule to the existing configuration. I hope someone might be able to look at the existing config below and recommend the correct way allow the Mail access...
Existing configuration:
{....truncated}
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address x.x.x.x
crypto isakmp nat keepalive 10
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.x
set peer x.x.x.x
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 100
class-map type inspect match-any inside-outside-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ntp
match access-group 111
class-map type inspect match-any outside-self-traffic
match access-group 110
policy-map type inspect inside-outside-policy
class type inspect inside-outside-traffic
inspect
class class-default
drop
policy-map type inspect outside-self-policy
class type inspect outside-self-traffic
pass
class class-default
drop
zone security inside
zone security outside
zone-pair security inside-outside-pair source inside destination outside
service-policy type inspect inside-outside-policy
zone-pair security outside-self-pair source outside destination self
service-policy type inspect outside-self-policy
interface FastEthernet4
description $ETH-WAN$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security outside
interface Virtual-PPP1
description L2TP dialer to ISP
ip address negotiated {static}
zone-member security outside
......
crypto map SDM_CMAP_1
interface Vlan1
ip address x.x.x.x
ip nat inside
zone-member security inside
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
access-list 100 remark IPSec Rule
access-list 100 permit ip x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.255
access-list 101 remark NAT-RULES
access-list 101 deny ip x.x.x.x 0.0.0.255 y.y.y.y 0.0.0.255
access-list 101 permit ip x.x.x.x 0.0.0.255 any
access-list 110 remark ACL_Outside_to_Self
access-list 110 permit udp host x.x.x.x any eq ntp
access-list 110 permit udp host x.x.x.x any eq ntp
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootps
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootpc
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq 1701
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootps
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootpc
access-list 110 permit udp host x.x.x.x any eq isakmp
access-list 111 remark ACL_Inside_to_Outside
access-list 111 permit udp x.x.x.x 0.0.0.255 any eq isakmp
access-list 111 permit esp x.x.x.x 0.0.0.255 any
access-list 111 permit udp x.x.x.x 0.0.0.255 any eq non500-isakmp
access-list 111 permit ahp x.x.x.x 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
match ip address 101
{....truncated}
Thanks,
05-23-2011 07:07 AM
Hi,
You need to match port 25, for SMTP. If you are using POP3, match the protocol pop3.
class-map type inspect match-any inside-outside-traffic
match protocol smtp
match protocol pop3
Hope this helps!
Regards,
Anu
P.S. Please mark the thread as resolved if the question has been answered. Do rate helpful posts.
05-23-2011 07:55 AM
Thanks for the mail.
I had tried inserting the rule before already with no luck. This is the output rule tried....
class-map type inspect match-any inside-outside-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ntp
match protocol smtp
match protocol pop3
match access-group 111
I've tried to debug the traffic for the ZBF to check the reasons for the firewall dropping my packets. Unfortunately I haven't found the correct syntax. Would you know the syntax to use to output the ZBF messages?
Mario
05-23-2011 07:58 AM
Hi Mario,
Turn on "ip inspect log drop" and then "sh log" to see the logs when traffic goes through the firewall. Please paste the output of "sh log" here.
Regards,
Anu
05-23-2011 08:11 AM
Great! That's the syntax I've been looking for....
Will get back once I get the correct settings.
Thanks,
05-24-2011 05:48 AM
If I add the access-list rules below to the config above, the connection works and mail is sent/received:
access-list 110 permit ip host
access-list 111 permit ip
However, this obviously allows ALL IP traffic between the exchange server and the entire local network. Should the exchange server or local network be infected with a virus, this could pass between sites without restriction.. So I would prefer to specify individual ports/protocols allowed between the two sites.
Removing the new access-list and putting the configuration back to its original, the ip inspect log produces the logs below when opening an Outlook client...
"%FW-6-LOG_SUMMARY: 3 packets were dropped from
%FW-6-DROP_PKT: Dropping msrpc session
GMT+1: %FW-6-DROP_PKT: Dropping tcp session
GMT+1: %FW-6-DROP_PKT: Dropping tcp session
GMT+1: %FW-6-LOG_SUMMARY: 1 packet were dropped from
GMT+1: %FW-6-LOG_SUMMARY: 3 packets were dropped from
GMT+1: %FW-6-LOG_SUMMARY: 3 packets were dropped from
%FW-6-DROP_PKT: Dropping tcp session
%FW-6-DROP_PKT: Dropping tcp session
%FW-6-LOG_SUMMARY: 3 packets were dropped from
%FW-6-LOG_SUMMARY: 3 packets were dropped from
- I don't understand why I don't see messages regarding smtp (25), pop3 (110) etc.
- This MS document indicates all the ports used by exchange servers and clients through firewalls (http://support.microsoft.com/kb/176466). It doesn't mention the ports 1020, 1040, 1165 I'm seeing above.
- Port 135 is used for RPC applications to query the port number of a service. I can allow this between sites separately.
Mario
05-24-2011 06:24 AM
**UPDATE**
By adding only the Access-lists below to the original configuration (in my first post), the communication works perfectly between Outlook client and Remote Exchange Server, and I'm assured the communication is only on the ports listed:
access-list 111 permit tcp
access-list 111 permit tcp
access-list 111 permit tcp
access-list 111 permit tcp
I would appreciate if someone could explain *why* this is working. I don't see the expected smpt/pop3 ports in the logs.
Regards,
Mario
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide