05-02-2011 02:14 PM - edited 03-04-2019 12:14 PM
Hello all,
I have a tolopogy close to the one in the diagram. Default route is through ISP1, but I need 10.0.0.2 have default through ISP2. So, I've attached a route-map at G0/0.10:
interface GigabitEthernet0/0.10
description DMZ
encapsulation dot1Q 10
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security DMZ
ip policy route-map RMAP-DG_from_DMZ
end
#sh route-map RMAP-DG_from_DMZ
route-map RMAP-DG_from_DMZ, permit, sequence 10
Match clauses:
ip address (access-lists): ACL-1
Set clauses:
ip default next-hop IP.ISP.2
Policy routing matches: 912698449 packets, 214460883 bytes
#sh ip access-lists ACL-1
Extended IP access list ACL-1
10 permit ip host 10.0.0.2 any
Also, I've permited traffic trough ZBF:
Policy Map type inspect PMAP-DMZ_to_ISP2
Class CMAP-MAIL_to_ANY
Inspect
CMAP-MAIL_to_ANY
Class Map type inspect match-any CMAP-MAIL_to_ANY
Match access-group name ACL-MAIL
sh ip access-lists ACL-MAIL
Extended IP access list ACL-MAIL
10 permit ip host 10.0.0.2 any
Traffic going out is nated with our router external IP.
Fact is I can go out to port 80, 22, dns, etc using ISP2. But the one I need, tcp:25 (SMTP), doesn't pass through!
If I let 10.0.0.2 go out using ISP1 to a tcp:25 port I have no problem (there is a policy map permiting it).
What else should I look for?
IOS version on router is 12.4(13r)T10
05-03-2011 02:34 AM
Hi,
Is the traffic natted on ISP2? or is there something blocking in your ZBF config ? ---> ip log drop-pkt
Regards.
Alain
05-03-2011 05:27 AM
Yes, is natted. And I've logging drop packets and nothing relevant or related with the issue appears.
05-03-2011 05:51 AM
Hi,
Post your running.
Regards.
Alain.
05-03-2011 07:12 PM
I'm really sorry but I can not post my entire running config.
I've been cleaning up some lines to keep out some noise. But result is the same.
There is no much ACL between DMZ zone and ISP2 zone. I have even let 10.0.0.2 go out entirely (without restrict by port).
Strange is I can connect to any port but smtp
05-03-2011 11:42 PM
Hi,
You can try this: debug ip packet detail xxx where xxx is numbered ACL permitting smtp traffic then do the same with an ACL permitting traffic you know is working and compare the 2.
Regards.
Alain.
05-04-2011 06:44 AM
Hi, thx for the tip. I've found this:
IP: tableid=0, s=
IP: s=
TCP src=57900, dst=25, seq=3390386607, ack=0, win=5840 SYN
But ip inspect log drop-pkt doesn't return any message.
05-04-2011 07:14 AM
Hi,
But ip inspect log drop-pkt doesn't return any message.
Maybe you're missing the log keyword in the inspection policy-map
So now you know the first SYN segment is dropped due to ZBF policy.
I would classify smtp traffic for this private ip address in a class-map then in the policy- map I would do a inspect and apply from ISP2 zone to DMZ zone.
Regards.
Alain.
05-04-2011 07:49 AM
So now you know the first SYN segment is dropped due to ZBF policy.
I would classify smtp traffic for this private ip address in a class-map then in the policy- map I would do a inspect and apply from ISP2 zone to DMZ zone.
If DMZ->ISP2 is inspected under a policy-map, return traffic should be accepted, right?
Anyway, a class-map in the policy-map for the ISP2->DMZ zone-pair exists for inbound traffic.
!
Zone-pair name ZP-DMZ_to_ISP2
Source-Zone DMZ Destination-Zone ISP2
service-policy PMAP-DMZ_to_ISP2
Policy Map type inspect PMAP-DMZ_to_ISP2
Class CMAP-MAIL1
Inspect
Class class-default
Class Map type inspect match-any CMAP-MAIL1 (id 95)
Match access-group name ACL-MAIL1
Extended IP access list ACL-MAIL1
10 permit ip host 10.0.0.2 any
Zone-pair name ZP-ISP2_to_DMZ
Source-Zone ISP2 Destination-Zone DMZ
service-policy PMAP-ISP2_to_DMZ
Policy Map type inspect PMAP-ISP2_to_DMZ
Class CMAP-Access_to_MAIL1
Inspect
Class class-default
Class Map type inspect match-all CMAP-Access_to_MAIL1 (id 41)
Match class-map CMAP-Protocols-mail1
Match access-group name ACL-ANY_to_MAIL1
Class Map type inspect match-any CMAP-Protocols-mail1 (id 40)
Match protocol smtp
Match protocol pop3
Match protocol imap
Match protocol imaps
Match protocol http
Match protocol https
Extended IP access list ACL-ANY_to_MAIL1
10 permit ip any host 10.0.0.2
Maybe something with nat?
ip nat inside source route-map INTERNET_ISP1 interface Vlan2 overload
ip nat inside source route-map INTERNET_ISP2 interface Vlan3 overload
route-map INTERNET_ISP2, permit, sequence 50
Match clauses:
ip address (access-lists): 103
interface Vlan3
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Extended IP access list 103
10 permit ip host 10.0.0.2 any
route-map INTERNET_ISP1, permit, sequence 30
Match clauses:
ip address (access-lists): 101
interface Vlan2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Extended IP access list 101
10 permit ip 10.0.0.0 0.0.0.255 any
In this line:
IP: tableid=0, s=
"d=74.125.45.27 (Vlan2)" shouldn't be Vlan3 as is connected to ISP2? Why it says it is connected to vlan2?
I can't beleive it only fails with smtp destination traffic!!
05-04-2011 09:49 AM
Hi,
Can you post the output of debug for working traffic like http and for the smtp again.
Can you also put a log keyword in each class in your policy-maps and see if you've got a log message.
If you want to test nat, you can do debug ip nat with an acl also if I remember well.
Regards.
Alain.
05-04-2011 03:11 PM
This the output of debug ip packet detail when there is traffic toward port 22:
IP: tableid=0, s=10.0.0.2 (local), d=8.8.8.8 (Vlan2), routed via FIB
IP: s=10.0.0.2 (local), d=8.8.8.8 (Vlan2), len 40, sending
TCP src=43935, dst=22, seq=3940800076, ack=0, win=0 RST
And this is the output when sending traffic to a smtp port:
IP: tableid=0, s=
IP: s=
TCP src=41849, dst=25, seq=2767250072, ack=0, win=5840 SYN
From 10.0.0.2 I see vlan3 interface IP address when I go to www.whatismyip.com site. Meaning it is using route specified with the route-map on interface g0/0.10
I've found that if I let 10.0.0.2 go out using router default gw it can reach remote tcp:25
05-05-2011 07:19 AM
cadetalain wrote:
Can you also put a log keyword in each class in your policy-maps and see if you've got a log message.
I can't find where to add the log keyword under each policy-map. Is it at class-default and adding "drop log"?
05-05-2011 09:22 AM
Yes that's it. I explained myself badly sorry.
Regards.
Alain.
05-07-2011 06:19 AM
Well, it's working now.
After one test after another, I've found that if I inspect tcp protocol, it works OK:
Class Map type inspect match-all CMAP-MAIL (id 108)
Match access-group name ACL-MAIL1
Match protocol tcp
Extended IP access list ACL-MAIL1
10 permit ip host 10.0.0.2 any
But it doesn't works when protocol is SMTP (?!)
Class Map type inspect match-all CMAP-MAIL (id 108)
Match access-group name ACL-MAIL1
Match protocol smtp
Or even it doesn't work when I add SMTP protocol to the class-map whet it has the TCP match already:
Class Map type inspect match-all CMAP-MAIL (id 108)
Match access-group name ACL-MAIL1
Match protocol tcp
Match protocol smtp
So, basically, I think traffic wasn't permitted because it couldn't see it as part of the same session. Is it so?
The clue I found was in this post:
https://supportforums.cisco.com/thread/136381
Inpsect means different things for different protocol. For example inpsect TCP means to make sure the packet is a valid TCP packet, and that session is created to maintain the state of the connection on the router (allow syn, sync-ack, and ack to be completed to establish connection). So, to have the basic stateful functionality of IOS FW to work, as a minimum you need to have TCP/UDP inspection. However, for multichannel protocol such as FTP, the payload needs to be inpsected as well to get the necessary IP or/and protocol information to be able to allow the subsequent data connection. Again, there are some application layer inspection such as SMTP is to make sure the SMTP exchange across the firewall is within the protocol conformance. So, net net is, inspection serves different purpose for different protocol.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide