Zone based Firewall question allow incoming port 25

peshman877 · ‎11-09-2016

Howdy,

new to this so please be nice.

i have ZBF see below, that doesnt allow incoming email port (25) even though i have allowed it at least i think i ave any way. so hoping some smart people out there can offer some advice.

class-map type inspect match-any CM-WAN-TO-LAN is the map in question, it allows https traffic and RDP but not smtp.

thanks in advance

cheers

peter

------------------------------

sh run

version 15.2
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 4 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip port-map user-RDP port tcp 3389
!
!
!
!
no ip bootp server
ip domain name xxx.xxxxxxx.xxxx.xxx
ip name-server 8.8.8.8
ip name-server 203.238.0.10
ip name-server 8.8.4.4
ip name-server 203.138.0.11
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
login block-for 10 attempts 5 within 10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn AAAAAAAAAAAAAAAAAA
!
!
archive
log config
logging enable
username lhcadm privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
controller VDSL 0/1/0
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any CM-Ping
match access-group name ACL-ICMPEcho
class-map type inspect match-any CM-LAN-TO-WAN
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol ftp
match protocol dns
class-map type inspect match-any CM-WAN-TO-LAN
match protocol user-RDP
match protocol smtp
match protocol https
match access-group 102
class-map type inspect match-any CM-RouterMngmnt
match access-group name ACL-MngmntProtocols
!
policy-map type inspect PM-WAN-TO-ROUTER
class type inspect CM-Ping
inspect
class class-default
drop log
policy-map type inspect PM-LAN-TO-ROUTER
class type inspect CM-RouterMngmnt
inspect
class class-default
drop
policy-map type inspect PM-WAN-TO-LAN
class type inspect CM-WAN-TO-LAN
inspect
class class-default
drop log
policy-map type inspect PM-LAN-TO-WAN
class type inspect CM-LAN-TO-WAN
inspect
class class-default
drop
policy-map type inspect PM-ROUTER-TO-LAN
class type inspect CM-RouterMngmnt
inspect
class class-default
drop
!
zone security LAN
zone security WAN
zone-pair security ZP-LAN-TO-WAN source LAN destination WAN
service-policy type inspect PM-LAN-TO-WAN
zone-pair security ZP-WAN-TO-LAN source WAN destination LAN
service-policy type inspect PM-WAN-TO-LAN
zone-pair security ZP-LAN-TO-ROUTER source LAN destination self
service-policy type inspect PM-LAN-TO-ROUTER
zone-pair security ZP-ROUTER-TO-LAN source self destination LAN
service-policy type inspect PM-ROUTER-TO-LAN
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description == [LAN Interface]==
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security LAN
duplex auto
speed auto
no mop enabled
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no mop enabled
!
interface Dialer0
description ==[Outside Interface - Firewall Interface]
ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 101
ip nat outside
ip virtual-reassembly in
zone-member security WAN
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXXXXX
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.30 25 1.1.1.1 25 extendable
ip nat inside source static tcp 10.10.10.27 443 1.1.1.1 443 extendable
ip nat inside source static tcp 10.10.10.13 3389 1.1.1.1 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended ACL-ICMPEcho
permit icmp any any echo
ip access-list extended ACL-MngmntProtocols
permit tcp any any eq 22
permit tcp any any eq www
permit tcp any any eq 443
permit icmp any any echo
permit udp any any eq tftp
!
logging trap debugging
logging facility local2
access-list 100 remark == [Control NAT Service] ==
access-list 100 deny ip 10.10.10.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit udp any any eq bootpc
access-list 102 remark =={incoming }==
access-list 102 permit ip any host 10.10.10.30
access-list 102 permit ip any host 10.10.10.13
access-list 102 permit ip any host 10.10.10.27
access-list 102 deny ip any any
no cdp run
!
!
!
!
!
control-plane
!
!
banner motd ^Cyou are connected to the XXX network^C
!
line con 0
exec-timeout 5 0
password 7 XXXXXXXXXXXXXXXXXXXXXX
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line 2
exec-timeout 15 0
login authentication local_auth
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 3
password 7 XXXXXXXXXXXXXXXXXXXXXXX
login authentication local_auth
transport input telnet ssh
transport output all
line vty 4
password 7 XXXXXXXXXXXXXXXXXXX
login authentication local_auth
transport input telnet ssh
transport output all
!
scheduler allocate 20000 1000
!
end

----------------------------------------

would the class map /ACL below be a better combination

class-map type inspect match-any CM-WAN-TO-LAN

match access-group 102

policy-map type inspect PM-WAN-TO-LAN
class type inspect CM-WAN-TO-LAN
inspect

access-list 102 remark =={incoming }==

access-list 102 permit tcp any host 10.10.10.30 eq 25

access-list 102 permit tcp any host 10.10.10.13 eq user-RDP or 3389 <<<< should this be the user defined port (user-RDP) or just plain 3389

access-list 102 permit tcp any host 10.10.10.27 eq 443

access-list 102 deny ip any any

johnlloyd_13 · ‎11-09-2016

hi,

could you try:

policy-map type inspect PM-WAN-TO-LAN
class type inspect CM-WAN-TO-LAN
pass

interface Dialer0
no ip verify unicast source reachable-via rx allow-default 101
ip verify unicast source reachable-via rx allow-default