10-30-2012 08:51 AM - edited 03-07-2019 09:45 AM
Hello to you Cisco folks,
I have an understaing question regarding the port-map command and the router's behaviour.
What does the below line exactly do when used in class-maps?:
"ip port-map smtp port tcp from 35 to 45"
!
class-map type inspect match-any pub-to-priv-cmap
match protocol smtp
!
In the snmp case, will the router inspect/pass SMTP connection that have SMTP-related headers and on ports 35 to 45?
Will connections destined to port 35-45 must be SMTP in order to pass the router ans otherwise blocked?
Thanks in advance
Solved! Go to Solution.
10-30-2012 09:57 AM
I'm a bit new to ZFW and such, so take my suggestions as just hopefully helpful suggestions and not the answer (unless I"m right! )
You might achieve the same result if you used NAT instead, mapping ports 35-45 on the outside to port 25 on the inside or dmz. That way you don't have to customize the smtp protocol itself. NAT occurs before firewall from the outside to inside, so your firewall would need to just allow smtp with port 25.
The question is, how to translate 11 ports (35 to 45 inclusive) to a single internal port (25). I'm actually not sure how to do this. Probably an ACL works best. So, create a ACL for it, then a route-map, and embed that ACL in the route-map. Then, put the route-map into a NAT entry. Example:
Create ACL:
access-list 166 permit tcp any range 35 45 host 192.168.0.123 eq 25
Create Route-Map:
Router#config t
Router(config)#route-map
Router(config-route-map)#match ip address 166
Router(config-route-map)#exit
Create a NAT rule:
ip nat inside source static tcp 192.168.0.123 0.0.0.0 route-map
So the result, I think, is that any source host coming in on pots tcp 35-45 will be translated to tcp port 25 on IP 192.168.0.123.
I can't actually test this here so I am hoping it is either correct or close enough for you to test on your own.
I'm new to Cisco stuff so hey if I'm right, mark this as a Correct Answer, it'll be my first one
Edited: On review, I'm not entirely sure the ip nat command is correct as it doesn't specifiy your global IP or interface to apply the NAT rule to. See the command below for a possible alternate.
ip nat inside source route-map
10-30-2012 09:57 AM
I'm a bit new to ZFW and such, so take my suggestions as just hopefully helpful suggestions and not the answer (unless I"m right! )
You might achieve the same result if you used NAT instead, mapping ports 35-45 on the outside to port 25 on the inside or dmz. That way you don't have to customize the smtp protocol itself. NAT occurs before firewall from the outside to inside, so your firewall would need to just allow smtp with port 25.
The question is, how to translate 11 ports (35 to 45 inclusive) to a single internal port (25). I'm actually not sure how to do this. Probably an ACL works best. So, create a ACL for it, then a route-map, and embed that ACL in the route-map. Then, put the route-map into a NAT entry. Example:
Create ACL:
access-list 166 permit tcp any range 35 45 host 192.168.0.123 eq 25
Create Route-Map:
Router#config t
Router(config)#route-map
Router(config-route-map)#match ip address 166
Router(config-route-map)#exit
Create a NAT rule:
ip nat inside source static tcp 192.168.0.123 0.0.0.0 route-map
So the result, I think, is that any source host coming in on pots tcp 35-45 will be translated to tcp port 25 on IP 192.168.0.123.
I can't actually test this here so I am hoping it is either correct or close enough for you to test on your own.
I'm new to Cisco stuff so hey if I'm right, mark this as a Correct Answer, it'll be my first one
Edited: On review, I'm not entirely sure the ip nat command is correct as it doesn't specifiy your global IP or interface to apply the NAT rule to. See the command below for a possible alternate.
ip nat inside source route-map
11-02-2012 08:02 PM
Any luck?
Sent from Cisco Technical Support iPad App
11-04-2012 08:57 AM
Hi,
Yes, I know about the NAT option.
thanks you for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide