Pop email access no longer working after access list change/CCA Firewall

Answered Question
Feb 10th, 2009
User Badges:

After deleting "unrecongnized firewall" by CCA and adding telnet access to my access list for my WAN port, my pop email client is being shut down by the router?

How do I fix this?


Thanks.



!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 24.119.219.2 255.255.255.192
ip access-group 104 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_MEDIUM out
ip virtual-reassembly
duplex auto
speed auto
service-policy input sdmappfwp2p_SDM_MEDIUM
service-policy output sdmappfwp2p_SDM_MEDIUM
end


Extended IP access list 104
    5 permit tcp any any eq telnet (135 matches)
    10 deny ip 10.1.10.0 0.0.0.3 any
    20 deny ip 10.1.1.0 0.0.0.255 any
    30 deny ip 192.168.10.0 0.0.0.255 any
    40 permit udp host 24.116.2.50 eq domain any (7245 matches)
    50 permit udp host 24.116.2.34 eq domain any (3192 matches)
    60 permit icmp any host 24.119.219.2 echo-reply
    70 permit icmp any host 24.119.219.2 time-exceeded
    80 permit icmp any host 24.119.219.2 unreachable
    90 deny ip 10.0.0.0 0.255.255.255 any (24 matches)
    100 deny ip 172.16.0.0 0.15.255.255 any
    110 deny ip 192.168.0.0 0.0.255.255 any
    120 deny ip 127.0.0.0 0.255.255.255 any
    130 deny ip host 255.255.255.255 any
    140 deny ip host 0.0.0.0 any
    150 deny ip any any log (36 matches)

Correct Answer by jasonneumann about 8 years 5 months ago

Hello,


The rules you're referencing are CBAC firewall rules (Context Based Access Control). One is for POP3 and the other is used for IMAP mail servers. They are stateful inspection rules that work at the application layer of the OSI reference model. Essentially, the Cisco CBAC firewall is not only capable of allowing TCP applications out through the firewall and then back in again for something like a pop3 session, but it is also capable of monitoring the code/commands issued by those protocols by inspecting the contents of the packets. This can be used to prevent a custom program from issuing illegal commands to a server in an attempt to crash it  (usually via a buffer overflow). It's unlikely that these rules are causing you grief but I suppose it's possible.


I would try removing the rule: "ip inspect name SDM_MEDIUM pop3 reset" as it could be resetting your connection for some reason. You can always reinstate the rule in the same manner minus the "no" modifier.


Router> enable

Router# config t

Router(config)# no ip inspect name SDM_MEDIUM pop3 reset



You can test a pop3 connection from the command prompt (the C:\> prompt in Windows) by using the telnet application to connect to the pop3 port (110) of your ISPs mail server. It's a low level way of determining if  you're getting out through the firewall successfully. Replace the bogus address "mail.yourisp.com" with the real address of your ISPs pop3 server. Also, you may wish to temporarily disable any firewall on your Windows workstation. Norton Internet Security has caused me endless grief when it comes to pop3 connections.




## Telnet to POP3 Port Example (successful)


    jason-neumanns-macbook:~ jneumann$ telnet mail.yourisp.com 110
    Trying 201.165.140.10...


    Connected to v-msgmmp.yourisp.com.
    Escape character is '^]'.
    +OK Messaging Multiplexor (Sun Java(tm) System Messaging Server 6.2-3.03 (built Jun 27 2005))


quit


    +OK goodbye
    Connection closed by foreign host.





Jason C. Neumann

Author: Cisco Routers for the Small Businerss

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mcastrigno Tue, 02/10/2009 - 17:37
User Badges:

Jason,


Acutally do not have a mail server - i am jsut trying to use a pop client to access outside mail servers


I made the confriguratiion changes you suggested with no luck.


I think it has something to with accessing the Firewall feature in CCA - this added a bunch of stuff to my configuration that I see when I do show run:


what do these do:

ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset



!
ip name-server 24.116.2.34
ip name-server 24.116.2.50
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
!

mcastrigno Tue, 02/10/2009 - 18:25
User Badges:

Re-entering CCA and deleting the firewall that it complained  about (which is the one it set up) brought back my email access


This leads me to conclude that there is an incompatiblity with CCA and using the CLI. Do not attempt to use the firewall feature in CCA if you ever also want to use the CLI to change access lists.

Correct Answer
jasonneumann Tue, 02/10/2009 - 18:48
User Badges:

Hello,


The rules you're referencing are CBAC firewall rules (Context Based Access Control). One is for POP3 and the other is used for IMAP mail servers. They are stateful inspection rules that work at the application layer of the OSI reference model. Essentially, the Cisco CBAC firewall is not only capable of allowing TCP applications out through the firewall and then back in again for something like a pop3 session, but it is also capable of monitoring the code/commands issued by those protocols by inspecting the contents of the packets. This can be used to prevent a custom program from issuing illegal commands to a server in an attempt to crash it  (usually via a buffer overflow). It's unlikely that these rules are causing you grief but I suppose it's possible.


I would try removing the rule: "ip inspect name SDM_MEDIUM pop3 reset" as it could be resetting your connection for some reason. You can always reinstate the rule in the same manner minus the "no" modifier.


Router> enable

Router# config t

Router(config)# no ip inspect name SDM_MEDIUM pop3 reset



You can test a pop3 connection from the command prompt (the C:\> prompt in Windows) by using the telnet application to connect to the pop3 port (110) of your ISPs mail server. It's a low level way of determining if  you're getting out through the firewall successfully. Replace the bogus address "mail.yourisp.com" with the real address of your ISPs pop3 server. Also, you may wish to temporarily disable any firewall on your Windows workstation. Norton Internet Security has caused me endless grief when it comes to pop3 connections.




## Telnet to POP3 Port Example (successful)


    jason-neumanns-macbook:~ jneumann$ telnet mail.yourisp.com 110
    Trying 201.165.140.10...


    Connected to v-msgmmp.yourisp.com.
    Escape character is '^]'.
    +OK Messaging Multiplexor (Sun Java(tm) System Messaging Server 6.2-3.03 (built Jun 27 2005))


quit


    +OK goodbye
    Connection closed by foreign host.





Jason C. Neumann

Author: Cisco Routers for the Small Businerss

mcastrigno Tue, 02/10/2009 - 19:00
User Badges:

Thanks Jason for your excellent description of these advanced features of the firewall.


As I mentioned I simply started CCA again and when I went to opent the firewall tab it complained that the firewall had  been modified outside CCA and my only options were to cancel or delete the firewall. This removed the above mentioned entries in my configurtation and my email access was restored. Exactly which item was causing the problem I guess I will never know. I am trying very hard to use the CCA but I always seem to have to come back to the CLI.


The diagnostic instructions you made seem very useful and I will definitely use them if I have trouble again.


Thanks.

jasonneumann Tue, 02/10/2009 - 15:21
User Badges:

Greetings,


I'm a command line interface (CLI) kind of guy, so my instructions involve using telnet to access the IOS.


I am going to assume that you were able to pop mail from the Internet to a corporate email server residing inside your network? If that's the case then there are two IOS configurations that need to be changed; the first change is to your extened access list number 104 which has been applied to incoming traffic on your Internet facing WAN interface (Fa0/0).  You need to add a rule to allow the post office protocol (pop3) that uses port number 110. This rule permits the pop3 traffic from the Internet to your network. In this example your adding a sequence number 35 that allows pop3.


Router> enable

Router# config t

Router(config)# ip access-list extented 104

Router(config-ext-nacl)# 35 permit tcp any any eq 110

Router(config-ext-nacl)# exit



Next, you need to configure NAT to forward pop3 requests to the email sever residing on your private network. Assuming your email server resides at the inside address 192.168.10.2, you would use the following command:


Router(config)# ip nat inside source static tcp 192.168.10.2 110 interface FastEthernet0/0 110




I hope this helps.



Jason C. Neumann

Author: Cisco Routers for the Small Business

Actions

This Discussion