cannot recevie incoming mail from external mail server

Unanswered Question
Aug 23rd, 2010
User Badges:

hi,


after i create zone-pair policy for outzone -> inzone, i facing that the problem that user in private zone cannot receive incoming mail from external mail server.  


i use nslookup and check the ip for the external mail server - pop.singxxx.com, 16x.2x.10x.21x


for my zone-pair inzone -> outzone, my policy only inspect protocol like http, https, dsn, and ACL IS permit ip any any.


what should i do on the outzone -> inzone zone base policy, can i use ACL to permit tcp any host 16x.2x.10x.21x eq 110


any idea? thanks


Noel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Mon, 08/23/2010 - 18:31
User Badges:
  • Cisco Employee,


please give us a brief topology diagram


is this what u have



(mail server)-----------zbf router----------- internet

real ip of 16x.2x.10x.21x

yong khang NG Mon, 08/23/2010 - 19:42
User Badges:

hi,


the topology is like:


private zone user ---> zfw router --> internet --> external mail server (pop.singxxx.com, IP is 16x.2x.10x.21x)


the private zone user using client using Ms Outlook as the client software.


currently the config for the zone firewall look like this:

!

class-map type inspect match-any private-public-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp

!

class-map type inspect match-any outzone-inzone
match protocol http
match protocol https
match access-group 110

!

policy-map type inspect out-to-in
class type inspect outzone-inzone
  inspect
class class-default
  drop

!

policy-map type inspect in-to-out
  class type inspect private-public-traffic
  inspect
class class-default
  drop

!

zone security in-zone
zone-pair security zp-in-to-out source in-zone destination out-zone
service-policy type inspect in-to-out
zone-pair security zp-out-to-in source out-zone destination in-zone
service-policy type inspect out-to-in

!

access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp host 16x.2x.10x.21x any eq pop3
access-list 110 permit tcp host 16x.2x.10x.21x any eq smtp


(interface f0/0 is out-zone, the interface fro zfw router toward internet ; while interface f0/1 is for private zone user. )


thanks

Kureli Sankar Mon, 08/23/2010 - 19:45
User Badges:
  • Cisco Employee,

You are saying that hosts on the inside are not able to use outlook or outlook expense and receive e-mails via POP from the ISP. Is this correct?


Add "ip inspect log drop" then try to receive e-mail from the host on the inside or private zone and watch what the logs say.


sh log | i x.x.x.x


where x.x.x.x is the ip address of the inside host.


If you have IN to OUT zone matching ip any any then there is no need to allow tcp 110 from out to in.  The response should be automatically allowed provided the flow is initiated from the inside.


-KS

yong khang NG Mon, 08/23/2010 - 20:23
User Badges:

hi sir, thanks for the reply,


i only can carry out the test on after hour..production time now


For the satement of

"If you have IN to OUT zone matching ip any any then there is no need to  allow tcp 110 from out to in.  The response should be automatically  allowed provided the flow is initiated from the inside."  <-- is it what you trying to say stateful inspection feature, where the traffic found in the session flow table, then it allow traffic back to return path?


normal practice, what user will do for the private zone --> DMZ or outside zone? will use ACL to limit accessive or simply any any to let go?


thanks

Actions

This Discussion