Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
4
Replies

Zone Based Firewall - how to deny

neilobrien
Level 1
Level 1

‎11-04-2010 04:10 AM - edited ‎03-11-2019 12:04 PM

Hi Guys,

OK so I want to permit only my email servers to send out  SMTP and deny SMTP for anything else, but I want everything else to go  out over IP.  I'm kind of confused where the deny shoudl take place.


ip access- ext SMTP_SERVERS_OUT
   permit object-group SMTP_SERVERS_OUT any
    deny object HQ-LAN any                               <<<<---------Will  this deny everything else sending SMTP or just stop it being matched in  the policy map

class-map type inspect match-all CM-SMTP_SERVERS_OUT
    Match access-group name SMTP_SERVERS_OUT
    Match protocol smtp

policy-map type inspect OUTBOUND-TRAFFIC
  class-map type inspect CM-SMTP_SERVERS_OUT
     inspect
  class-map type inspect class-default
     inspect

Or  do I have to create a additional class map to match everything else on  smtp then drop that in the policy map??

THanks in advance,

Neil

Labels:
0 Helpful
4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-04-2010 11:25 AM

You don't need the "deny object HQ-LAN any".

I think it is better if you create a new class that matches on all port 25 traffic and make the action be drop, and put it UNDER the "class-map type inspect CM-SMTP_SERVERS_OUT" that inspects legit email traffic.

Does it makes sense?

I hope it helps.

PK

0 Helpful

neilobrien
Level 1
Level 1
In response to Panos Kampanakis

‎11-04-2010 12:42 PM

Hi PK,

THanks for the reply.

It does make sense but I'm not sure it works like that, or at least that's what I'm trying to establish.

From what I can see, it doesn't work "top down" like an ACL would.  So the deny all on port 25 would also match the SMTP servers so even though they're explicitly permitted what's to stop them matching the deny.  With the class-maps there's no sequence numbers so it's like you can slot in a different class above another without deleteing and recreating the policy.

I really don't see how ZFW makes it easier, it's done nothing but confuse me!!

Thanks,

Neil

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to neilobrien

‎11-04-2010 01:32 PM

I suppose your email servers are in a dmz? if so then you can try this:

class-map type inspect CLASS_MAIL

match protocol smtp

class-map type inspect CLASS_INTERNET

match not class-map CLASS_MAIL

policy-map type inspect POLICY_MAIL

class CLASS_MAIL

no drop

inspect

class class-default

drop

policy-map type inspect POLICY_INTERNET

class CLASS_INTERNET

no drop

inspect

exit

zone sec MAILSERVERS

description my mailservers

zone sec LAN

desc my lan

zone sec OUTSIDE

description wan

int x/x

zone-member  sec MAILSERVERS

int x/y

zone-member sec LAN

int x/z

zone-member sec OUTSIDE

exit

zone-pair security DMZ_OUT source MAILSERVERS destination OUTSIDE

service-policy type inspect POLICY_MAIL

zone-pair security LAN_OUT source LAN destination OUTSIDE

service-policy type inspect POLICY_INTERNET

exit

Don't forget to rate helpful posts.
0 Helpful

neilobrien
Level 1
Level 1
In response to cadet alain

‎11-04-2010 02:51 PM

Hi,

Thanks for the reply.

However i not have a DMZ and I don't have a "match not....." option.  I didn't know there was such an option.

THanks,

Neil

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card