ACL + SMTP + HELP!

[ultramonkey]

Hi,
I am having an issue with forwarding and allowing SMTP traffic, I have added a NAT to the Internal Mail server and allowed inbound TCP traffic on port 25. But still no joy, can someone please advise where I'm going wrong?

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool SMTP 217.45.194.* 217.45.194.* netmask 255.255.255.248
ip nat pool Exchange 192.168.69.1 192.168.69.1 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.69.1 25 interface Dialer0 25
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.69.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 194.72.0.114 eq domain host 217.45.*.*
access-list 101 permit udp host 194.72.0.98 eq domain host 217.45.*.*
access-list 101 remark SMTP
access-list 101 permit tcp any eq smtp host 192.168.69.1 eq smtp
access-list 101 permit icmp any host 217.45.*.* echo-reply
access-list 101 permit icmp any host 217.45.*.* time-exceeded
access-list 101 permit icmp any host 217.45.*.*unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 105 remark NAT + SMTP
access-list 105 remark SDM_ACL Category=2
access-list 105 remark Permit SMTP NAT
access-list 105 permit tcp host 217.45.*.* eq smtp host 192.168.69.1 eq smtp
dialer-list 1 protocol ip permit
no cdp run
!
!

 

[rudeboy]

You have a 4 access-lists, but I only see where 1 is applied. It seems that the mail server is mapped per your command:
ip nat inside source static tcp 192.168.69.1 25 interface Dialer0 25

You then set up a rule with this command (I am assuming it is applied to the outside interface):
access-list 101 permit tcp any eq smtp host 192.168.69.1 eq smtp

The problem with that last line is that you don't know what the source port will be. Even though your server is listening on port 25, the client will be coming on some random port. Change it to this:
access-list 101 permit tcp any host 192.168.69.1 eq smtp

 

[ultramonkey]

Thanks for that, I have started from scratch and added the port forward statement. This works fine until I add the Firewall using the SDM. For some reason that I cant work out this kills the smtp??!! The config is pretty much as per above, any ideas???

Thanks

 

[ultramonkey]

Further to the above, when I apply the firewall the below is added to the running config -

access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 194.72.0.98 eq domain host 217.45.194.201
access-list 101 deny ip 192.168.69.0 0.0.0.255 any
access-list 101 permit icmp any host 217.45.194.201 echo-reply
access-list 101 permit icmp any host 217.45.194.201 time-exceeded
access-list 101 permit icmp any host 217.45.194.201 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 217.45.194.200 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
interface Dialer0
description $FW_OUTSIDE$
ip access-group 101 in

 

[rudeboy]

Can u post the entire config?

 

[ultramonkey]

Building configuration...

Current configuration : 6129 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname r&d
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$Abgo$4EplNQGEXrW9V24eDOtkN/
!
username minda privilege 15 secret 5 $1$KQFD$5bmvLq.o0zWGtJk2QRfeu.
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no network-clock-participate wic 0
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
!
!
no ip bootp server
ip domain name ******.co.uk
ip name-server 194.72.0.98
ip name-server 192.168.69.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ips po max-events 100
no ftp-server write-enable
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller E1 0/0/0
!
!
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$
ip address 10.10.10.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Serial0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
clockrate 2000000
no cdp enable
!
interface FastEthernet1/0
no ip address
no cdp enable
!
interface FastEthernet1/1
no ip address
no cdp enable
!
interface FastEthernet1/2
no ip address
no cdp enable
!
interface FastEthernet1/3
no ip address
no cdp enable
!
interface FastEthernet1/4
no ip address
no cdp enable
!
interface FastEthernet1/5
no ip address
no cdp enable
!
interface FastEthernet1/6
no ip address
no cdp enable
!
interface FastEthernet1/7
no ip address
no cdp enable
!
interface FastEthernet1/8
no ip address
no cdp enable
!
interface FastEthernet1/9
no ip address
no cdp enable
!
interface FastEthernet1/10
no ip address
no cdp enable
!
interface FastEthernet1/11
no ip address
no cdp enable
!
interface FastEthernet1/12
no ip address
no cdp enable
!
interface FastEthernet1/13
no ip address
no cdp enable
!
interface FastEthernet1/14
no ip address
no cdp enable
!
interface FastEthernet1/15
no ip address
no cdp enable
!
interface Vlan1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.69.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Dialer0
description $FW_OUTSIDE$
ip address 217.*.*.* 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ******@hg31.btclick.com
ppp chap password 7 121B174413001B053E78367927
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.69.1 25 217.45.*.* 25 extendable
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.69.0 0.0.0.255
access-list 1 permit 217.45.*.* 0.0.0.248
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 194.72.0.98 eq domain host 217.45.194.201
access-list 101 permit tcp any eq smtp any eq smtp
access-list 101 permit icmp any host 217.45.*.* echo-reply
access-list 101 permit icmp any host 217.45.*.* time-exceeded
access-list 101 permit icmp any host 217.45.*.* unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 

[rudeboy]

access-list 101 permit tcp any eq smtp any eq smtp

The above line is wrong. I don't know what parameters you are putting in SDM (I've never used it).

It should read

access-list 101 permit tcp any host 192.168.69.1 eq smtp

 

[ultramonkey]

Thanks again but this still hasnt helped, I made the changes but no change!!!

 

[rudeboy]

Serious brain fart....you must permit to public ip not private. Paste the below..it will remove your access-list 101 and then paste in the new one. Make sure you are local, because you will lose access if you are connected from the outside world.

no access-list 101

access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 194.72.0.98 eq domain host 217.45.194.201
access-list 101 permit tcp any any eq smtp
access-list 101 permit icmp any host 217.45.*.* echo-reply
access-list 101 permit icmp any host 217.45.*.* time-exceeded
access-list 101 permit icmp any host 217.45.*.* unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log

 

[davefisher]

Did this work? I'm having exactly the same problem...

I don't think it's the firewalls because I've tried removing the ACL from the interface and still doesn't work.
(I have still only applied 101 in the config)

You can connect to the SMTP server from the local LAN but not from any outside interfaces. It also works over a VPN from the private LAN on the other side, which leads me to think it may be NAT'ing or Routing... no idea)

I have a similar config to above although I stripped out a lot of the firewall inspection for troubleshooting. I also have ppp multilink configured for bonded ADSL lines and VPN config on mine so I have to do some fairly odd policy based routing.

Building configuration...

Current configuration : 7457 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname **********
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 ******************
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.1.1
ip dhcp excluded-address 10.10.1.2
ip dhcp excluded-address 10.10.1.3
ip dhcp excluded-address 10.10.1.4
ip dhcp excluded-address 10.10.1.5
ip dhcp excluded-address 10.10.1.6
ip dhcp excluded-address 10.10.1.7
ip dhcp excluded-address 10.10.1.8
ip dhcp excluded-address 10.10.1.9
!
ip dhcp pool DHCP
network 10.10.1.0 255.255.255.0
dns-server 10.10.1.9 213.208.106.212 213.208.106.213
domain-name *********.com
default-router 10.10.1.1
!
!
ip cef
no ip domain lookup
ip domain name ********.com
ip name-server 213.208.106.212
ip name-server 213.208.106.213
!
!
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint TP-self-signed-*********
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-********
revocation-check none
rsakeypair TP-self-signed-********
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-********
certificate self-signed 01
******** ******** ******** ******** ******** ********
quit
username ****** access-class 15 password 7 *************
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key ******** address 84.12.*.* no-xauth
crypto isakmp key ******** address 82.6.*.* no-xauth
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set DB esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to84.12.*.*
set peer 84.12.*.*
set transform-set ESP-3DES-SHA
match address 102
crypto map SDM_CMAP_1 10 ipsec-isakmp
description Tunnel to82.6.*.*
set peer 82.6.*.*
set transform-set DB
match address 103
!
!
!
interface Loopback0
description VPN Tunnel endpoint
ip address 84.12.y.y 255.255.255.252 (1st of Static address range assigned from ISP)
ip accounting output-packets
crypto map SDM_CMAP_1
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM1
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
description $FW_INSIDE$
ip address 10.10.1.1 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip policy route-map policy
speed auto
full-duplex
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
access-group 101 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap callin
ppp chap hostname gotadsl.co.uk/*******
ppp chap password 7 **********
ppp multilink
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http secure-server
!
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static 10.10.1.9 84.12.x.y (This is the SMTP Server)
!
!
logging history notifications
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 84.12.*.* host 84.12.y.y eq non500-isakmp
access-list 101 permit udp host 84.12.*.* host 84.12.y.y eq isakmp
access-list 101 permit esp host 84.12.*.* host 84.12.y.y
access-list 101 permit ahp host 84.12.*.* host 84.12.y.y
access-list 101 permit udp host 82.6.*.* host 84.12.y.y eq non500-isakmp
access-list 101 permit udp host 82.6.*.* host 84.12.y.y eq isakmp
access-list 101 permit esp host 82.6.*.* host 84.12.y.y
access-list 101 permit ahp host 82.6.*.* host 84.12.y.y
access-list 101 permit udp host 213.208.106.213 eq domain any
access-list 101 permit udp host 213.208.106.212 eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp host 84.12.*.* any eq 22
access-list 101 permit tcp 82.6.*.* 0.0.0.255 any eq 22
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.156.0 0.0.0.255 any
access-list 101 permit tcp any host 84.12.x.y eq smtp (This is for my SMTP Server)
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.1.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 103 permit ip 10.10.1.0 0.0.0.255 192.168.156.0 0.0.0.255
access-list 105 deny ip 10.10.1.0 0.0.0.255 10.10.0.0 0.0.0.255
access-list 105 deny ip host 10.10.1.9 any
access-list 105 deny ip 10.10.1.0 0.0.0.255 192.168.156.0 0.0.0.255
access-list 105 permit ip 10.10.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community ******* RO
snmp-server enable traps tty
!
route-map policy permit 10
match ip address 102 103
set ip next-hop 84.12.y.z (This is the next address in the range assigned to the loopback address ...very wierd)
!
route-map nonat permit 10
match ip address 105
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7 *********
!
end

Any idea's?

 

[davefisher]

I've solved this issue, it seems as if our ISP was blocking port 25 and this is apparently standard practice for ISP's, you actually have to call their technical support guy's to open up for your mail server.
It would have been nice to know this before spending a week troubleshooting this.

Good luck.