08-23-2010 05:50 PM - edited 03-11-2019 11:29 AM
hi,
after i create zone-pair policy for outzone -> inzone, i facing that the problem that user in private zone cannot receive incoming mail from external mail server.
i use nslookup and check the ip for the external mail server - pop.singxxx.com, 16x.2x.10x.21x
for my zone-pair inzone -> outzone, my policy only inspect protocol like http, https, dsn, and ACL IS permit ip any any.
what should i do on the outzone -> inzone zone base policy, can i use ACL to permit tcp any host 16x.2x.10x.21x eq 110
any idea? thanks
Noel
08-23-2010 06:31 PM
please give us a brief topology diagram
is this what u have
(mail server)-----------zbf router----------- internet
real ip of 16x.2x.10x.21x
08-23-2010 07:42 PM
hi,
the topology is like:
private zone user ---> zfw router --> internet --> external mail server (pop.singxxx.com, IP is 16x.2x.10x.21x)
the private zone user using client using Ms Outlook as the client software.
currently the config for the zone firewall look like this:
!
class-map type inspect match-any private-public-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
!
class-map type inspect match-any outzone-inzone
match protocol http
match protocol https
match access-group 110
!
policy-map type inspect out-to-in
class type inspect outzone-inzone
inspect
class class-default
drop
!
policy-map type inspect in-to-out
class type inspect private-public-traffic
inspect
class class-default
drop
!
zone security in-zone
zone-pair security zp-in-to-out source in-zone destination out-zone
service-policy type inspect in-to-out
zone-pair security zp-out-to-in source out-zone destination in-zone
service-policy type inspect out-to-in
!
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp host 16x.2x.10x.21x any eq pop3
access-list 110 permit tcp host 16x.2x.10x.21x any eq smtp
(interface f0/0 is out-zone, the interface fro zfw router toward internet ; while interface f0/1 is for private zone user. )
thanks
08-23-2010 07:45 PM
You are saying that hosts on the inside are not able to use outlook or outlook expense and receive e-mails via POP from the ISP. Is this correct?
Add "ip inspect log drop" then try to receive e-mail from the host on the inside or private zone and watch what the logs say.
sh log | i x.x.x.x
where x.x.x.x is the ip address of the inside host.
If you have IN to OUT zone matching ip any any then there is no need to allow tcp 110 from out to in. The response should be automatically allowed provided the flow is initiated from the inside.
-KS
08-23-2010 08:23 PM
hi sir, thanks for the reply,
i only can carry out the test on after hour..production time now
For the satement of
"If you have IN to OUT zone matching ip any any then there is no need to allow tcp 110 from out to in. The response should be automatically allowed provided the flow is initiated from the inside." <-- is it what you trying to say stateful inspection feature, where the traffic found in the session flow table, then it allow traffic back to return path?
normal practice, what user will do for the private zone --> DMZ or outside zone? will use ACL to limit accessive or simply any any to let go?
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: