06-13-2013 03:15 AM - edited 03-11-2019 06:57 PM
hi all,
we have a router using VRF and ZBF. for some reason ESMP port 587 works but not STMP port 25.
telnet abc.com. 587
220 abc.com Microsoft ESMTP MAIL Service ready at Wed, 12 Jun 2013 16:47:45 +0800
ehlo abc.com
250-abc.com Hello [192.168.10.26]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING
----
$ telnet abc.com 25
Trying 203.x.x.x...
Connected to abc.com (203.x.x.x).
Escape character is '^]'.
220 A13001HSB.x.x.x Microsoft ESMTP MAIL Service ready at Thu, 13 Jun 2013 17:50:49 +0800
ehlo
500 5.3.3 Unrecognized command
i'm still reviewing the setup and maybe someone can point me where to look.
below is the ACL and will post other config if needed. TIA!
Extended IP access list ABC_IN
10 permit tcp any 203.x.x.x 0.0.0.7 eq 3389
20 permit tcp any 203.x.x.x 0.0.0.7 eq smtp
30 permit tcp any 203.x.x.x 0.0.0.7 eq 587
40 permit tcp any 203.x.x.x 0.0.0.7 eq 993
50 permit tcp any 203.x.x.x 0.0.0.7 eq 443
60 permit tcp 10.130.0.0 0.0.255.255 203.x.x.x 0.0.0.7 eq 3389
70 permit tcp 203.y.y.y 0.0.0.255 203.x.x.x 0.0.0.7 eq 3389
80 permit tcp 203..y.y.y 0.0.0.255 203.x.x.x 0.0.0.7 eq 3389
90 permit tcp 203..y.y.y 0.0.0.255 203.x.x.x 0.0.0.7 eq 3389
100 permit tcp 203..y.y.y 0.0.0.255 203.x.x.x 0.0.0.7 eq 3389
110 permit tcp host 125.z.z.z 203.x.x.x 0.0.0.7 eq www
120 permit tcp host 125.z.z.z 203.x.x.x 0.0.0.7 eq 443
130 permit tcp host 125.z.z.z 203.x.x.x 0.0.0.7 eq 10050
140 permit tcp host 125.z.z.z 203.x.x.x 0.0.0.7 eq 10051
----
Extended IP access list ABC_OUT
10 permit tcp 203.x.x.x 0.0.0.7 any eq www
20 permit tcp 203.x.x.x 0.0.0.7 any eq 443
30 permit tcp 203.x.x.x 0.0.0.7 any eq smtp
40 permit tcp 203.x.x.x 0.0.0.7 any eq 587
50 permit tcp 203.x.x.x 0.0.0.7 any eq 587
60 permit tcp 203.x.x.x 0.0.0.7 any eq smtp
70 permit tcp 203.x.x.x 0.0.0.7 any eq 993
80 permit tcp 203.x.x.x 0.0.0.7 any eq 993
----
when VRF and ZBF are removed and port is assigned to public or the OUT zone, both ports works:
interface GigabitEthernet0/2
no ip vrf forwarding ABC
no zone-member security ABC
zone-member security OUT
ip address 203.x.x.x 255.255.255.248
Solved! Go to Solution.
06-13-2013 08:20 PM
Hello,
Sure,
Remember to add the command
IP inspect log drop-pkt so u can see the packets getting dropped in the logging events, then u will know where to look.
Regards,
Remember to rate all of the helpful posts. 
 
For this community that's as important as a thanks.
06-13-2013 10:00 AM
Hello,
What you post does not work,
I need the entire configuration so I can see the Policy-map, class-map , etc configuration,
Regards
Remember to rate all of the helpful posts. 
 
For this community that's as important as a thanks.
06-13-2013 07:24 PM
hi,
i know you'd say that. it's kinda hard to omit data on the ZBF policies.
i gotta feeling this might be an IOS issue. let me tshoot further. thanks!
06-13-2013 08:20 PM
Hello,
Sure,
Remember to add the command
IP inspect log drop-pkt so u can see the packets getting dropped in the logging events, then u will know where to look.
Regards,
Remember to rate all of the helpful posts. 
 
For this community that's as important as a thanks.
06-13-2013 08:35 PM
hi,
this is a great command and thanks for the tip!
06-13-2013 08:42 PM
Hello John,
My pleasure to help,
U can then use the
show logging | include x.x.x.x (IP being used on the communication to find the cause of the issue, it will always point why this is failing, that's the greatest thing about ZBFW)
Any other question u can let me know
Remember to rate all of the helpful posts. 
 
For this community that's as important as a thanks.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide