i facing a problem that outside user cannot access to my webmail application. (https://mail.xxx.com)
fact: 1. Error message show at the broswer is "The server at mail.xxx.com is taking too long to respond."
2. from outside still manage ping to the mail server external IP.
3. From internal LAN access the webmail service is ok.
my question: i just wanna ensure the border router newly running on IOS ZWF is it causing any conflict between the external firewall and internal firewall design
showing with network topology.
So, Traffic traverse from internet into the LAN / DMZ must go through border router. currently, border router just implement IOS zone-pair firewall, where zone-pair shown as below:
1. zone-pair security ccp-zp-in-out source in-zone destination out-zone 2.policy inspect on the class-map of ccp-insp-traffic match protocol http and match protocol https 3. border router's routing will pass the traffic reach the ASA FW as the threshole either doing NAT to get into private network or traverse between DMZ servers. 4. mail server IP is 126.96.36.199 / 28, which is same subnet with ASA FW
Did i miss anything? should i built another policy for out-zone -> in-zone? ACL is it should permit any 188.8.131.52 0.0.0.16 , with allow protocol on domain, 443, 80, smtp ? (i try but no go)
hints and idea needed to solve out this myth, thank you
edge router serial 2/1/0 is connecting to the border router
now i see there's a log at the border router
003116: Aug 18 12:09:25.358 PCTime: %FW-6-DROP_PKT: Dropping Unknown-l4 session 202.1xx.xx.2:0 2xx.xx.x.160:0 on zone-pair ccp-zp-in-out class class-default due to DROP action found in policy-map with ip ident 0
what does this mean?
anyway, thanks for helping solve the previous problem, thank you
(1) Yes we can either have an ACL to the specific host on port 80 or we can have it for the entire subnet. Both should have the same effect (only that in the 2nd case we will be opening up port 80 for an entire subnet).
(2) The log that you see is due to the packet being dropped by the ZBF config on the border router. the packet being dropped is being sourced from the source IP to the destination IP you see in the log. Also, we see it is being dropped by the "class-default" which has an action drop for it.
If you think it's legitimate traffic, then you might want to allow on the zone pair for in-zone to out-zone.
hi sir, it's another round of follow-up qustion , again on this IOS ZWF problem.
after i put the policy for out -> in zone, my webmail services can go. but after reload the router, private subnet (which is in-zone) cannot get online.
last effort i need to take the zone-member secuirty away from interface, then everything seems fine again
the class-map, policy-map , zone-pair goes like this
class-map type inspect match-any outzone-inzone match protocol http match protocol https match access-group 110
class-map type inspect match-any ccp-cls-insp-traffic match protocol http match protocol https match protocol dns match protocol icmp ! policy-map type inspect ccp-inspect class type inspect ccp-cls-insp-traffic inspect class class-default drop ! policy-map type inspect out-in class type inspect outzone-inzone inspect class class-default drop ! zone security out-zone zone security in-zone zone-pair security zp-out-to-in source out-zone destination in-zone service-policy type inspect out-in zone-pair security zp-in-to-out source in-zone destination out-zone service-policy type inspect ccp-inspect !
access-list 110 permit tcp any host 184.108.40.206 eq www access-list 110 permit tcp any host 220.127.116.11 eq 443
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...