Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Zone Based Firewall - how to deny

Hi Guys,

OK so I want to permit only my email servers to send out  SMTP and deny SMTP for anything else, but I want everything else to go  out over IP.  I'm kind of confused where the deny shoudl take place.


ip access- ext SMTP_SERVERS_OUT
   permit object-group SMTP_SERVERS_OUT any
    deny object HQ-LAN any                               <<<<---------Will  this deny everything else sending SMTP or just stop it being matched in  the policy map

class-map type inspect match-all CM-SMTP_SERVERS_OUT
    Match access-group name SMTP_SERVERS_OUT
    Match protocol smtp

policy-map type inspect OUTBOUND-TRAFFIC
  class-map type inspect CM-SMTP_SERVERS_OUT
     inspect
  class-map type inspect class-default
     inspect

Or  do I have to create a additional class map to match everything else on  smtp then drop that in the policy map??

THanks in advance,

Neil

4 REPLIES
Cisco Employee

Re: Zone Based Firewall - how to deny

You don't need the "deny object HQ-LAN any".

I think it is better if you create a new class that matches on all port 25 traffic and make the action be drop, and put it UNDER the "class-map type inspect CM-SMTP_SERVERS_OUT" that inspects legit email traffic.

Does it makes sense?

I hope it helps.

PK

New Member

Re: Zone Based Firewall - how to deny

Hi PK,

THanks for the reply.

It does make sense but I'm not sure it works like that, or at least that's what I'm trying to establish.

From what I can see, it doesn't work "top down" like an ACL would.  So the deny all on port 25 would also match the SMTP servers so even though they're explicitly permitted what's to stop them matching the deny.  With the class-maps there's no sequence numbers so it's like you can slot in a different class above another without deleteing and recreating the policy.

I really don't see how ZFW makes it easier, it's done nothing but confuse me!!

Thanks,

Neil

Purple

Re: Zone Based Firewall - how to deny

I suppose your email servers are in a dmz? if so then you can try this:

class-map type inspect CLASS_MAIL

match protocol smtp

class-map type inspect CLASS_INTERNET

match not class-map CLASS_MAIL

policy-map type inspect POLICY_MAIL

class CLASS_MAIL

no drop

inspect

class class-default

drop

policy-map type inspect POLICY_INTERNET

class CLASS_INTERNET

no drop

inspect

exit

zone sec MAILSERVERS

description my mailservers

zone sec LAN

desc my lan

zone sec OUTSIDE

description wan

int x/x

zone-member  sec MAILSERVERS

int x/y

zone-member sec LAN

int x/z

zone-member sec OUTSIDE

exit

zone-pair security DMZ_OUT source MAILSERVERS destination OUTSIDE

service-policy type inspect POLICY_MAIL

zone-pair security LAN_OUT source LAN destination OUTSIDE

service-policy type inspect POLICY_INTERNET

exit

Don't forget to rate helpful posts.
New Member

Re: Zone Based Firewall - how to deny

Hi,

Thanks for the reply.

However i not have a DMZ and I don't have a "match not....." option.  I didn't know there was such an option.

THanks,

Neil

318
Views
0
Helpful
4
Replies
CreatePlease to create content