Zone based firewall - strange problem

Unanswered Question
Dec 11th, 2009

Hi,



I'm having a hard time figuring out what could be the problem with my firewall config.


The symptom is simple: if the zone based firewall config is applied to the interfaces the client can not "completely" connect to a pop3 server. And by completely I mean it can see that there are mails on the server, but times out when the client (OE) tries to fetch them.


(I have a guest zone called "berlo" too, but the problematic client sits in the inside zone's vlan)


Here is my relevant configuration:


class-map type inspect match-all class-pptp-passthrough
match access-group name PROT_GRE
class-map type inspect match-all class-smtp-block
match protocol smtp
class-map type inspect match-any class-inside-to-out
match protocol pptp
match protocol user-tcp-3389
match protocol user-tcp-18000
match protocol imap
match protocol imaps
match protocol pop3s
match protocol user-tcp-10120
match protocol user-tcp-510
match protocol user-udp-510
match protocol user-tcp-3050
match protocol dns
match protocol ntp
match protocol https
match protocol http
match protocol mysql
match protocol user-tcp-5050
match protocol pop3
class-map type inspect match-any class-out-to-inside
match protocol pptp
match protocol smtp
match protocol imap
match protocol https
match protocol ftp
match protocol user-tcp-41373
match protocol user-tcp-40373
match protocol pop3
class-map type inspect match-all class-berlo-to-inside
match protocol dns
class-map type inspect match-any class-router-to-out
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any class-out-to-router
match protocol isakmp
match protocol ipsec-msft
match access-group name PROT_ESP
class-map type inspect match-all class-smtp-mail-client
match protocol smtp
match access-group name allowed-smtp-servers
class-map type inspect match-all class-smtp-mail-server
match protocol smtp
match access-group 101
!
!
policy-map type inspect policy-berlo-to-outside
class type inspect class-smtp-block
  drop
class class-default
  pass
policy-map type inspect policy-router-to-outside
class type inspect class-router-to-out
  inspect
class class-default
  pass
policy-map type inspect policy-outside-to-router
class type inspect class-out-to-router
  pass
class class-default
  drop
policy-map type inspect policy-berlo-to-inside
class type inspect class-berlo-to-inside
  inspect
class class-default
  drop
policy-map type inspect policy-outside-to-inside
class type inspect class-out-to-inside
  inspect
class type inspect class-pptp-passthrough
  pass
class class-default
  drop log
policy-map type inspect policy-inside-to-outside
class type inspect class-smtp-mail-server
  inspect
class type inspect class-inside-to-out
  inspect
class type inspect class-pptp-passthrough
  pass
class type inspect class-smtp-mail-client
  inspect
class class-default
  drop log
!
zone security inside
zone security outside
zone security berlo
zone-pair security zp-outside-to-inside source outside destination inside
service-policy type inspect policy-outside-to-inside
zone-pair security zp-inside-to-outside source inside destination outside
service-policy type inspect policy-inside-to-outside
zone-pair security zp-router-to-outside source self destination outside
service-policy type inspect policy-router-to-outside
zone-pair security zp-outside-to-router source outside destination self
service-policy type inspect policy-outside-to-router
zone-pair security zp-berlo-to-outside source berlo destination outside
service-policy type inspect policy-berlo-to-outside
zone-pair security zp-berlo-to-inside source berlo destination inside
service-policy type inspect policy-berlo-to-inside


ip access-list extended PROT_ESP
permit esp any any
ip access-list extended PROT_GRE
permit gre any any
ip access-list extended allowed-smtp-servers
permit ip any host 212.40.69.34
permit ip any host 87.229.26.163

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion