07-02-2014 07:50 AM - edited 03-04-2019 11:16 PM
Hi,
could someone please advice how to change a next-hop for incoming SMTP traffic? I've successfully created PBR to redirect customer SMTP traffic to a different next-hop:
--------------------------------------------------
C6509#access-list 150 permit tcp 85.175.191.0 0.0.0.255 any eq smtp (customer LAN is 85.175.191.0/24; from customer to the internet)
C6509#access-list 160 permit tcp any 85.175.191.0 0.0.0.255 eq smtp (from the internet to customer LAN; doesn't work!)
C6509#route-map MAIL-Redirect permit 10
C6509#match ip address 150
C6509#set ip next-hop 20.10.10.10
C6509#route-map MAIL-Redirect permit 20
C6509#match ip address 160
C6509#set ip next-hop 20.10.10.10
C6509#interface Vlan100
C6509#ip address 85.175.191.1 255.255.255.0
C6509#ip policy route-map MAIL-Redirect
--------------------------------------------------
Redirect customer SMTP traffic from inside to the internet works as expected:
--------------------------------------------------
IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, len 60, FIB policy match
IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, len 60, PBR Counted
IP: s=85.175.191.111 (Vlan16), d=173.19.66.27, g=20.10.10.10, len 60, FIB policy routed
C6509#sh access-list 150
Extended IP access list 150
10 permit tcp 85.175.191.0 0.0.0.255 any eq smtp (17 matches)
--------------------------------------------------
But the other direction (SMTP traffic coming in from the internet to 85.175.191.0/24) seems not working:
--------------------------------------------------
C6509#sh access-list 160
Extended IP access list 160
10 permit tcp any 5.175.191.0 0.0.0.255 eq smtp
--------------------------------------------------
Any ideas?
Thanks,
Thomas
07-03-2014 01:16 AM
I think it's because PBR must be configured in interface receiving traffic; try configuring PBR on the WAN interface (obviously you can split the route-map in the routemaps: one for incoming traffic (used on WAN inertf) and one for outgoing traffic (used on VLAN 100))
Let me know, bye,
enrico
PS: please rate if useful
07-03-2014 02:08 AM
Hi,
thx, but the router has multiple WAN interfaces. (3x BGP full table)
Regards,
Thomas
07-03-2014 04:11 AM
Why can't you configure PBR on all WAN interf ?
Another think I can't understand is why incoming and outgoing traffic has to be router to the same next-hop 20.10.10.10. Could you clarify ?
07-03-2014 09:06 AM
The next-hop (same for IN and OUT traffic) is an Anti-SPAM gateway. Filtering SMTP traffic from customer out of the internet should pass the gateway and SPAM should be filtered out. SMTP traffic from the internet to the customer should prefiltered too. Thats the idea behind :-)
07-04-2014 02:00 AM
Thx, did you fix the problem using Kazim suggestion ?
enrico
07-03-2014 06:01 AM
please change the acl:
no access-list 160 permit tcp any 85.175.191.0 0.0.0.255 eq smtp
access-list 160 permit tcp any eq smtp 85.175.191.0 0.0.0.255
HTH
kazim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide