11-22-2010 09:41 AM - edited 03-11-2019 12:13 PM
I'm trying to install an 871 router and having an issue with the zone based firewall. It's by default, it's denying smtp port 25 but allowing me out to the internet.
The only way I'm able to get email to work and also get internet to work is to apply an acl on the interfaces with a permit any any. I've never seen the ZBF until today, so I'm trying to readup on it and learn, but I have some questions.
Here's my setup.
Server hosts Exchange, DHCP, DNS, network files, and OMA/OWA. IP is 192.168.1.253
LAN is 192.168.1.0/24
871 Router is 192.168.1.250
Inside interface is VLAN1
Outside interface is Dialer0
Here's the current config right now. I'm not sure on what I need to edit to allow http, https, smtp.
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 104
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all out_to_in
match access-group 103
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect out_to_in
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.250 255.255.255.0
ip access-group 110 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
!
!
access-list 1 remark SDM_ACL Category=18
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.1.253
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.253
access-list 103 permit ip any any
access-list 110 remark inside_access_out
access-list 110 permit ip any any
dialer-list 1 protocol ip permit
!
!
Any tips? I'm reading this article right now and trying to learn as fast as possible, but thought I'd post up hoping someone could give some guidance.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
When I set somethign to "inspect" does that allow it by default until it sees an issue, then drops the traffic?
FastEthernet0 is up, line protocol is down
Internet protocol processing disabled
FastEthernet1 is up, line protocol is up
Internet protocol processing disabled
FastEthernet2 is up, line protocol is down
Internet protocol processing disabled
FastEthernet3 is up, line protocol is down
Internet protocol processing disabled
FastEthernet4 is up, line protocol is up
Internet protocol processing disabled
Vlan1 is up, line protocol is up
Internet address is 192.168.1.250/24
Broadcast address is 255.255.255.255
Outgoing access list is not set
Inbound access list is 110
Loopback0 is up, line protocol is up
Internet address is 10.1.1.1/24
Broadcast address is 255.255.255.255
Outgoing access list is not set
Inbound access list is not set
NVI0 is up, line protocol is up
Interface is unnumbered. Using address of Loopback0 (10.1.1.1)
Broadcast address is 255.255.255.255
Outgoing access list is not set
Inbound access list is not set
Dialer0 is up, line protocol is up
Internet address is x.x.x.x/32
Broadcast address is 255.255.255.255
Outgoing access list is not set
Inbound access list is not set
Virtual-Access1 is up, line protocol is up
Peer address is x.x.x.x
Dialer interface is Dialer0
Solved! Go to Solution.
11-24-2010 05:48 AM
I'm a moron, it was my local firwall blocking my access.I had it setup right all along. Thanks for the help guys!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide