Re: SMTP can't go through

bistevins · ‎05-02-2011

Hello all,

I have a tolopogy close to the one in the diagram. Default route is through ISP1, but I need 10.0.0.2 have default through ISP2. So, I've attached a route-map at G0/0.10:

interface GigabitEthernet0/0.10

description DMZ

encapsulation dot1Q 10

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security DMZ

ip policy route-map RMAP-DG_from_DMZ

end

#sh route-map RMAP-DG_from_DMZ

route-map RMAP-DG_from_DMZ, permit, sequence 10

Match clauses:

ip address (access-lists): ACL-1

Set clauses:

ip default next-hop IP.ISP.2

Policy routing matches: 912698449 packets, 214460883 bytes

#sh ip access-lists ACL-1

Extended IP access list ACL-1

10 permit ip host 10.0.0.2 any

Also, I've permited traffic trough ZBF:

Policy Map type inspect PMAP-DMZ_to_ISP2

Class CMAP-MAIL_to_ANY

Inspect

CMAP-MAIL_to_ANY

Class Map type inspect match-any CMAP-MAIL_to_ANY

Match access-group name ACL-MAIL

sh ip access-lists ACL-MAIL

Extended IP access list ACL-MAIL

10 permit ip host 10.0.0.2 any

Traffic going out is nated with our router external IP.

Fact is I can go out to port 80, 22, dns, etc using ISP2. But the one I need, tcp:25 (SMTP), doesn't pass through!

If I let 10.0.0.2 go out using ISP1 to a tcp:25 port I have no problem (there is a policy map permiting it).

What else should I look for?

IOS version on router is 12.4(13r)T10

cadet alain · ‎05-03-2011

Hi,

Is the traffic natted on ISP2? or is there something blocking in your ZBF config ? ---> ip log drop-pkt

Regards.

Alain

Don't forget to rate helpful posts.

bistevins · ‎05-03-2011

Yes, is natted. And I've logging drop packets and nothing relevant or related with the issue appears.

cadet alain · ‎05-03-2011

Hi,

Post your running.

Regards.

Alain.

Don't forget to rate helpful posts.

bistevins · ‎05-03-2011

I'm really sorry but I can not post my entire running config.

I've been cleaning up some lines to keep out some noise. But result is the same.

There is no much ACL between DMZ zone and ISP2 zone. I have even let 10.0.0.2 go out entirely (without restrict by port).

Strange is I can connect to any port but smtp

cadet alain · ‎05-03-2011

Hi,

You can try this: debug ip packet detail xxx where xxx is numbered ACL permitting smtp traffic then do the same with an ACL permitting traffic you know is working and compare the 2.

Regards.

Alain.

Don't forget to rate helpful posts.

bistevins · ‎05-04-2011

Hi, thx for the tip. I've found this:

IP: tableid=0, s= (GigabitEthernet0/0.10), d=74.125.45.27 (Vlan2), routed via FIB ## (vlan2 is connected to ISP1) ##
IP: s= (GigabitEthernet0/0.10), d=74.125.45.27 (vlan3), len 60, dropped by inspect ## (vlan3 is connected to ISP2) ##
TCP src=57900, dst=25, seq=3390386607, ack=0, win=5840 SYN

But ip inspect log drop-pkt doesn't return any message.

cadet alain · ‎05-04-2011

Hi,

But ip inspect log drop-pkt doesn't return any message.

Maybe you're missing the log keyword in the inspection policy-map

So now you know the first SYN segment is dropped due to ZBF policy.

I would classify smtp traffic for this private ip address in a class-map then in the policy- map I would do a inspect and apply from ISP2 zone to DMZ zone.

Regards.

Alain.

Don't forget to rate helpful posts.

bistevins · ‎05-04-2011

So now you know the first SYN segment is dropped due to ZBF policy.
I would classify smtp traffic for this private ip address in a class-map then in the policy- map I would do a inspect and apply from ISP2 zone to DMZ zone.

If DMZ->ISP2 is inspected under a policy-map, return traffic should be accepted, right?

Anyway, a class-map in the policy-map for the ISP2->DMZ zone-pair exists for inbound traffic.

!

Zone-pair name ZP-DMZ_to_ISP2
Source-Zone DMZ Destination-Zone ISP2
service-policy PMAP-DMZ_to_ISP2

Policy Map type inspect PMAP-DMZ_to_ISP2
    Class CMAP-MAIL1
      Inspect
    Class class-default

Class Map type inspect match-any CMAP-MAIL1 (id 95)
Match access-group name ACL-MAIL1

Extended IP access list ACL-MAIL1
10 permit ip host 10.0.0.2 any

Zone-pair name ZP-ISP2_to_DMZ
Source-Zone ISP2 Destination-Zone DMZ
service-policy PMAP-ISP2_to_DMZ

Policy Map type inspect PMAP-ISP2_to_DMZ
    Class CMAP-Access_to_MAIL1
      Inspect
    Class class-default

Class Map type inspect match-all CMAP-Access_to_MAIL1 (id 41)
   Match class-map CMAP-Protocols-mail1
   Match access-group name ACL-ANY_to_MAIL1

Class Map type inspect match-any CMAP-Protocols-mail1 (id 40)
   Match protocol smtp
   Match protocol pop3
   Match protocol imap
   Match protocol imaps
   Match protocol http
   Match protocol https

Extended IP access list ACL-ANY_to_MAIL1
10 permit ip any host 10.0.0.2

Maybe something with nat?

ip nat inside source route-map INTERNET_ISP1 interface Vlan2 overload

ip nat inside source route-map INTERNET_ISP2 interface Vlan3 overload

route-map INTERNET_ISP2, permit, sequence 50
Match clauses:
ip address (access-lists): 103
interface Vlan3
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Extended IP access list 103

10 permit ip host 10.0.0.2 any

route-map INTERNET_ISP1, permit, sequence 30
Match clauses:
ip address (access-lists): 101
interface Vlan2
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Extended IP access list 101

10 permit ip 10.0.0.0 0.0.0.255 any

In this line:

IP: tableid=0, s= (GigabitEthernet0/0.10), d=74.125.45.27 (Vlan2) routed via FIB

"d=74.125.45.27 (Vlan2)" shouldn't be Vlan3 as is connected to ISP2? Why it says it is connected to vlan2?

I can't beleive it only fails with smtp destination traffic!!

cadet alain · ‎05-04-2011

Hi,

Can you post the output of debug for working traffic like http and for the smtp again.

Can you also put a log keyword in each class in your policy-maps and see if you've got a log message.

If you want to test nat, you can do debug ip nat with an acl also if I remember well.

Regards.

Alain.

Don't forget to rate helpful posts.

bistevins · ‎05-04-2011

This the output of debug ip packet detail when there is traffic toward port 22:

IP: tableid=0, s=10.0.0.2 (local), d=8.8.8.8 (Vlan2), routed via FIB
IP: s=10.0.0.2 (local), d=8.8.8.8 (Vlan2), len 40, sending
TCP src=43935, dst=22, seq=3940800076, ack=0, win=0 RST

And this is the output when sending traffic to a smtp port:

IP: tableid=0, s= (GigabitEthernet0/0.10), d=74.125.157.27 (Vlan2), routed via FIB
IP: s= (GigabitEthernet0/0.10), d=74.125.157.27 (Vlan3), len 60, dropped by inspect
TCP src=41849, dst=25, seq=2767250072, ack=0, win=5840 SYN

From 10.0.0.2 I see vlan3 interface IP address when I go to www.whatismyip.com site. Meaning it is using route specified with the route-map on interface g0/0.10

I've found that if I let 10.0.0.2 go out using router default gw it can reach remote tcp:25

bistevins · ‎05-05-2011

cadetalain wrote:
Can you also put a log keyword in each class in your policy-maps and see if you've got a log message.

I can't find where to add the log keyword under each policy-map. Is it at class-default and adding "drop log"?

cadet alain · ‎05-05-2011

Yes that's it. I explained myself badly sorry.

Regards.

Alain.

Don't forget to rate helpful posts.

bistevins · ‎05-07-2011

Well, it's working now.

After one test after another, I've found that if I inspect tcp protocol, it works OK:

Class Map type inspect match-all CMAP-MAIL (id 108)
Match access-group name ACL-MAIL1
Match protocol tcp

Extended IP access list ACL-MAIL1
10 permit ip host 10.0.0.2 any

But it doesn't works when protocol is SMTP (?!)

Class Map type inspect match-all CMAP-MAIL (id 108)
Match access-group name ACL-MAIL1
Match protocol smtp

Or even it doesn't work when I add SMTP protocol to the class-map whet it has the TCP match already:

Class Map type inspect match-all CMAP-MAIL (id 108)
    Match access-group name ACL-MAIL1
    Match protocol tcp
    Match protocol smtp

So, basically, I think traffic wasn't permitted because it couldn't see it as part of the same session. Is it so?

The clue I found was in this post:

https://supportforums.cisco.com/thread/136381

Inpsect means different things for different protocol.  For example 
inpsect TCP means to make sure the packet is a valid TCP packet, and 
that session is created to maintain the state of the connection on the 
router (allow syn, sync-ack, and ack to be completed to establish 
connection). So, to have the basic stateful functionality of IOS FW to 
work, as a minimum you need to have TCP/UDP inspection.  However, for 
multichannel protocol such as FTP, the payload needs to be inpsected as 
well to get the necessary IP or/and protocol information to be able to 
allow the subsequent data connection.  Again, there are some application
 layer inspection such as SMTP is to make sure the SMTP exchange across 
the firewall is within the protocol conformance.  So, net net is, 
inspection serves different purpose for different protocol.