Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3901
Views
0
Helpful
3
Replies

A question about 'ip port-map' command and class-maps

Go to solution
shaijosef
Level 1
Level 1

‎10-30-2012 08:51 AM - edited ‎03-07-2019 09:45 AM

Hello to you Cisco folks,

I have an understaing question regarding the port-map command and the router's behaviour.

What does the below line exactly do when used in class-maps?:

"ip port-map smtp port tcp from 35 to 45"

!

class-map type inspect match-any pub-to-priv-cmap

match protocol smtp

!

In the snmp case, will the router inspect/pass SMTP connection that have SMTP-related headers and on ports 35 to 45?

Will connections destined to port 35-45 must be SMTP in order to pass the router ans otherwise blocked?

Thanks in advance      

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ValleyITPC
Level 1
Level 1

‎10-30-2012 09:57 AM

I'm a bit new to ZFW and such, so take my suggestions as just hopefully helpful suggestions and not the answer (unless I"m right! )

You might achieve the same result if you used NAT instead, mapping ports 35-45 on the outside to port 25 on the inside or dmz.  That way you don't have to customize the smtp protocol itself.  NAT occurs before firewall from the outside to inside, so your firewall would need to just allow smtp with port 25. 

The question is, how to translate 11 ports (35 to 45 inclusive) to a single internal port (25).  I'm actually not sure how to do this.  Probably an ACL works best.  So, create a ACL for it, then a route-map, and embed that ACL in the route-map. Then, put the route-map into a NAT entry. Example:

Create ACL:

access-list 166 permit tcp any range 35 45 host 192.168.0.123 eq 25

Create Route-Map:

Router#config t

Router(config)#route-map permit 10

Router(config-route-map)#match ip address 166

Router(config-route-map)#exit

Create a NAT rule:

ip nat inside source static tcp 192.168.0.123 0.0.0.0 route-map

So the result, I think, is that any source host coming in on pots tcp 35-45 will be translated to tcp port 25 on IP 192.168.0.123. 

I can't actually test this here so I am hoping it is either correct or close enough for you to test on your own. 

I'm new to Cisco stuff so hey if I'm right, mark this as a Correct Answer, it'll be my first one

      

Edited:  On review, I'm not entirely sure the ip nat command is correct as it doesn't specifiy your global IP or interface to apply the NAT rule to.  See the command below for a possible alternate.

ip nat inside source route-map interface

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ValleyITPC
Level 1
Level 1

‎10-30-2012 09:57 AM

I'm a bit new to ZFW and such, so take my suggestions as just hopefully helpful suggestions and not the answer (unless I"m right! )

You might achieve the same result if you used NAT instead, mapping ports 35-45 on the outside to port 25 on the inside or dmz.  That way you don't have to customize the smtp protocol itself.  NAT occurs before firewall from the outside to inside, so your firewall would need to just allow smtp with port 25. 

The question is, how to translate 11 ports (35 to 45 inclusive) to a single internal port (25).  I'm actually not sure how to do this.  Probably an ACL works best.  So, create a ACL for it, then a route-map, and embed that ACL in the route-map. Then, put the route-map into a NAT entry. Example:

Create ACL:

access-list 166 permit tcp any range 35 45 host 192.168.0.123 eq 25

Create Route-Map:

Router#config t

Router(config)#route-map permit 10

Router(config-route-map)#match ip address 166

Router(config-route-map)#exit

Create a NAT rule:

ip nat inside source static tcp 192.168.0.123 0.0.0.0 route-map

So the result, I think, is that any source host coming in on pots tcp 35-45 will be translated to tcp port 25 on IP 192.168.0.123. 

I can't actually test this here so I am hoping it is either correct or close enough for you to test on your own. 

I'm new to Cisco stuff so hey if I'm right, mark this as a Correct Answer, it'll be my first one

      

Edited:  On review, I'm not entirely sure the ip nat command is correct as it doesn't specifiy your global IP or interface to apply the NAT rule to.  See the command below for a possible alternate.

ip nat inside source route-map interface

0 Helpful

Go to solution
ValleyITPC
Level 1
Level 1

‎11-02-2012 08:02 PM

Any luck?

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
shaijosef
Level 1
Level 1
In response to ValleyITPC

‎11-04-2012 08:57 AM

Hi,

Yes, I know about the NAT option.

thanks you for your help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card