11-04-2010 04:10 AM - edited 03-11-2019 12:04 PM
Hi Guys,
OK so I want to permit only my email servers to send out SMTP and deny SMTP for anything else, but I want everything else to go out over IP. I'm kind of confused where the deny shoudl take place.
Or do I have to create a additional class map to match everything else on smtp then drop that in the policy map??
THanks in advance,
Neil
11-04-2010 11:25 AM
You don't need the "deny object HQ-LAN any".
I think it is better if you create a new class that matches on all port 25 traffic and make the action be drop, and put it UNDER the "class-map type inspect CM-SMTP_SERVERS_OUT" that inspects legit email traffic.
Does it makes sense?
I hope it helps.
PK
11-04-2010 12:42 PM
Hi PK,
THanks for the reply.
It does make sense but I'm not sure it works like that, or at least that's what I'm trying to establish.
From what I can see, it doesn't work "top down" like an ACL would. So the deny all on port 25 would also match the SMTP servers so even though they're explicitly permitted what's to stop them matching the deny. With the class-maps there's no sequence numbers so it's like you can slot in a different class above another without deleteing and recreating the policy.
I really don't see how ZFW makes it easier, it's done nothing but confuse me!!
Thanks,
Neil
11-04-2010 01:32 PM
I suppose your email servers are in a dmz? if so then you can try this:
class-map type inspect CLASS_MAIL
match protocol smtp
class-map type inspect CLASS_INTERNET
match not class-map CLASS_MAIL
policy-map type inspect POLICY_MAIL
class CLASS_MAIL
no drop
inspect
class class-default
drop
policy-map type inspect POLICY_INTERNET
class CLASS_INTERNET
no drop
inspect
exit
zone sec MAILSERVERS
description my mailservers
zone sec LAN
desc my lan
zone sec OUTSIDE
description wan
int x/x
zone-member sec MAILSERVERS
int x/y
zone-member sec LAN
int x/z
zone-member sec OUTSIDE
exit
zone-pair security DMZ_OUT source MAILSERVERS destination OUTSIDE
service-policy type inspect POLICY_MAIL
zone-pair security LAN_OUT source LAN destination OUTSIDE
service-policy type inspect POLICY_INTERNET
exit
11-04-2010 02:51 PM
Hi,
Thanks for the reply.
However i not have a DMZ and I don't have a "match not....." option. I didn't know there was such an option.
THanks,
Neil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide