Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allow SMTP through firewall based on source IP range

Status
Not open for further replies.
creeping666

creeping666

Technical User
Jan 21, 2009
24
NZ
Hi, based on the config below (correct me if its wrong) we currently port forward all SMTP extended traffic from any IP address only if it is addressed to our email server.

hardware: cisco 877 ADSL router
IOS: C870-ADVIPSERVICESK9-M, Version 12.4(15)T9

Code: 
ip nat inside source static tcp 192.168.30.160 25 interface Dialer0 25

ip access-list extended MAIL_SERVER
 permit ip any host 192.168.30.160

class-map type inspect match-any MAIL_SERVER-PROTOS
 match protocol smtp extended

class-map type inspect match-all MAIL_SERVER-TRAFFIC
 match class-map MAIL_SERVER-PROTOS
 match access-group name MAIL_SERVER

policy-map type inspect INTERNET-TO-VLAN1
 class type inspect MAIL_SERVER-TRAFFIC
  inspect

On the side questions:
1. In the MAIL_SERVER access list, should I have the private IP address of the email server or the public MX record email is coming to?
eg. 192.168.30.160 or mail.domain-name.com (202.45.65.2)

2. Is the MAIL_SERVER access list even necessary... as email traffic only comes in on a port and its not addressed to any specific internal IP address?

Next issue, now we have all of our email spam filtered through an external email hosting company and they forward it to us on port 25.
We would like to secure our email server by only allowing email sent from their servers so other people cannot sent email to us directly.

I have come up with the following and have no idea if it is right or if there is a better / more elegant way of doing it. We do not have a domain or network we can test on so I want to get it right first.

Code: 
ip nat inside source static tcp 192.168.30.160 25 interface Dialer0 25

object-group network EXT_EMAIL_SERVERS
 range 1.1.1.1 2.2.2.2
 range 3.3.3.3 4.4.4.4
exit

ip access-list extended MAIL_SERVER
 permit ip any host 192.168.30.160

ip access-list extended TRAFFIC_FROM_EXT_EMAIL_SERVERS
 permit ip object-group EXT_EMAIL_SERVERS host 192.168.30.160

class-map type inspect match-any MAIL_SERVER-PROTOS
 match protocol smtp extended

class-map type inspect match-all MAIL_SERVER-TRAFFIC
 match class-map MAIL_SERVER-PROTOS
 match access-group name TRAFFIC_FROM_EXT_EMAIL_SERVERS

policy-map type inspect INTERNET-TO-VLAN1
 class type inspect MAIL_SERVER-TRAFFIC
  inspect

Again in the TRAFFIC_FROM_EXT_EMAIL_SERVERS access list do I put the internal IP address of the email server, the MX record (mail.domain-name.com), or do I not even need it?

Any better way? is that right?

Thanks.


 
Sort by date Sort by votes

class-map type inspect match-any MAIL_SERVER-PROTOS
match protocol smtp extended

class-map type inspect match-all MAIL_SERVER-TRAFFIC
match class-map MAIL_SERVER-PROTOS
match access-group name TRAFFIC_FROM_EXT_EMAIL_SERVERS

policy-map type inspect INTERNET-TO-VLAN1
class type inspect MAIL_SERVER-TRAFFIC
inspect

That is part of a ZBFW (zone based firewall), which has nothing to do with anything you are talking about. It deep-packet inspects the SMTP protocol traffic for any known attacks to the mail server. You use the RFC1918 address.

It makes no difference how you filter your traffic---myself, since this is a very simple requirement, I would just

access-list 101 permit ip x.x.x.x y.y.y.y host 192.168.30.160
access-list 101 deny ip any host 192.168.30.160 log
access-list 101 permit blablabla

this inbound on int di0

The object group crap isn't necessary (overkill) in this scenario, and I can't remember if there is an implicit deny any any if nothing else is specified in the object group...

/


tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
burtsbees is right, for something simple like this I'd just use a simple ip list
 
Upvote 0 Downvote
Thanks for your input, in the CBT nugget and Train Signal videos they suggest you use one or the other (ZBF or access lists on the interface) but not both.
On the other hand in the Cisco ZBF Technical Discussion PDF they say you can use both but the access list gets processed first... from memory.

I played around a bit and come up with the following which seems to work. I went with the ZBF as its what I am more familiar with.

Code: 
ip nat inside source static tcp 192.168.30.160 25 interface Dialer0 25
!
object-group network EXT_EMAIL_SERVERS
 range 1.1.1.1 2.2.2.2
 range 3.3.3.3 4.4.4.4
!
ip access-list extended EXT_TO_EMAIL_SERVER
 permit tcp object-group EXT_EMAIL_SERVERS any eq smtp
!
class-map type inspect match-any MAIL_SERVER-1-PROTOS
 match protocol smtp extended
!
class-map type inspect match-all MAIL_SERVER-1-TRAFFIC
 match class-map MAIL_SERVER-1-PROTOS
 match access-group name EXT_TO_EMAIL_SERVER
!
policy-map type inspect INTERNET-TO-VLAN1
 class type inspect MAIL_SERVER-1-TRAFFIC
  inspect
 class class-default
  drop
!

 
Upvote 0 Downvote
Again, the acl and NAT statically NAT the port and address to that of the server and binds it to the outside interface. ZBFW has NOTHING to do with static NAT!!!

Not sure what you mean by using both...only this line

ip nat inside source static tcp 192.168.30.160 25 interface Dialer0 25

causes anyone connecting to your outside IP address via port 25 (SMTP) to get passed on to your internal mail server at 192.168.30.160---RFC1918 addresses (private IP addresses, 192.168.0.0/16, 172.16.0.0/12 and 10.0.0.0/8) cannot be routed in Internet Land, so they need to be translated to a routable (PUBLIC, IANA registered IP address) address, which CAN be routed in Internet Land.

The Firewall plays absolutely NO part in this. It only examines the packets according to set parameters, I.E. what packets to inspect, what sigs your IOS is capable of inspecting---this is all done at the application layer (7) of the OSI. ACLs filter traffic for access control, routing (static, dynamic, PBR, etc.) and other things, like CAR, KRON, ToD ACL, etc. They CAN be used for NAT, telling the router what addresses to translate to the outside public IP address, but again---NOTHING to do with port-forwarding. Again, THIS LINE

ip nat inside source static tcp 192.168.30.160 25 interface Dialer0 25

is the ONLY thing that does the port-forwarding. Is this what you are confused on? A FW filters and inspects traffic to protect you from attackers.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Follow the red-brick road---it was yellow, but...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
179
testman1
testman1
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
259
iggsterman
iggsterman
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
163
bfordz
bfordz
steel_bender
  • Locked
  • Question
Allow HTTPS TCP Traffic through ASA5525
Replies
1
Views
150
Mogles49
Mogles49
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
133
BleuBell
BleuBell

Part and Inventory Search

Sponsor

Back
Top