Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > E-Mail Woes to Mailsweeper on PIX DMZ

Reply
Thread Tools

E-Mail Woes to Mailsweeper on PIX DMZ

 
 
Darren Green
Guest
Posts: n/a
 
      10-13-2006
I have a ASA (PIX 7.X) with a Mailsweeper on my DMZ port.

I have a public IP for the above, statically translated (DMZ,Outside) public
IP, real IP mask etc.

My access-list permits SMTP in from the Internet to the public IP and I am
seeing lots of hits.

When I look at the logging on ASDM I notice a lot of FIN packets. The
session connects and then 2 x seconds later (or less) tears down. The number
of bytes transferred = 0 each time. So far I have not received any e-mail
but it seems their are lots of attempts.

I hadn't enabled DNS requests from this server via my DMZ inbound
access-list which I have rectified but still nothing.
My immediate thought was reverse DNS - i.e. the Mailsweeper was trying to
validate the request coming in to it but I am not sure if I am clutching at
straws.

The domain name is managed by a 3rd party company, not the ISP where the
server is located. I am thinking that I need to inform the ISP to add a
reverse lookup to their DNS to make this all work.

I cannot think what else this could be and will Google for more answers. For
now would anyone have a idea.

I have ESMTP fixup on, which I turned off, then back on again. Stuck at the
moment scratching my head.

Any help would be appreciated.

Regards

Darren


 
Reply With Quote
 
 
 
 
Brian V
Guest
Posts: n/a
 
      10-13-2006

"Darren Green" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a ASA (PIX 7.X) with a Mailsweeper on my DMZ port.
>
> I have a public IP for the above, statically translated (DMZ,Outside)
> public IP, real IP mask etc.
>
> My access-list permits SMTP in from the Internet to the public IP and I am
> seeing lots of hits.
>
> When I look at the logging on ASDM I notice a lot of FIN packets. The
> session connects and then 2 x seconds later (or less) tears down. The
> number of bytes transferred = 0 each time. So far I have not received any
> e-mail but it seems their are lots of attempts.
>
> I hadn't enabled DNS requests from this server via my DMZ inbound
> access-list which I have rectified but still nothing.
> My immediate thought was reverse DNS - i.e. the Mailsweeper was trying to
> validate the request coming in to it but I am not sure if I am clutching
> at straws.
>
> The domain name is managed by a 3rd party company, not the ISP where the
> server is located. I am thinking that I need to inform the ISP to add a
> reverse lookup to their DNS to make this all work.
>
> I cannot think what else this could be and will Google for more answers.
> For now would anyone have a idea.
>
> I have ESMTP fixup on, which I turned off, then back on again. Stuck at
> the moment scratching my head.
>
> Any help would be appreciated.
>
> Regards
>
> Darren
>


when you do a "show service-policy" are you seeing drops?


 
Reply With Quote
 
 
 
 
Darren Green
Guest
Posts: n/a
 
      10-14-2006
>>
>
> when you do a "show service-policy" are you seeing drops?
>

Brian,

Appreciate the response.

Please see output below:

Errors I receive constantly:

6 Oct 14 2006 09:06:25 302014 X.X.X.X 172.28.1.6 Teardown TCP connection
6193 for
outside:X.X.XX/3588 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP FINs

6 Oct 14 2006 09:06:25 302013 X.X.X.X 172.28.1.6 Built inbound TCP
connection 6193 for outside:X.X.X.X/3588 (X.X.X.X/358 to DMZ:172.28.1.6/25
(X.X.X.X/25)

access-list outside line 4 extended permit tcp any host X.X.X.X eq smtp
(hitcnt=4410)

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 669, drop 0, reset-drop 0
Inspect: ftp, packet 240, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny, packet 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip, packet 0, drop 0, reset-drop 0
Inspect: netbios, packet 8, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: pptp, packet 0, drop 0, reset-drop 0
Inspect: icmp, packet 126, drop 0, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 13510, drop 0, reset-drop 0

I have the enclosed line on my DMZ port also (NB This is 1 of several
access-list entries for the DMZ):

access-list dmz_access line 9 extended permit udp host 172.28.1.6 any eq
domain (hitcnt=225) 0xf52b94ca

This is the private address of the MailSweeper that I thought I would need
to allow DNS for out onto the Internet with the satatic IP:

static (DMZ,outside) X.X.X.X 172.28.1.6 netmask 255.255.255.255

Regards

Darren




 
Reply With Quote
 
Darren Green
Guest
Posts: n/a
 
      10-14-2006
Also done a packet capture with Ethereal, the packet sequence goes:

Sending Mail Server - Syn
MailSweeper- Syn Ack
Sending Mail Server - Ack
Mailsweeper - Fin, Ack
Sending Mail Server - Fin, Ack
Mailsweeper - Ack

The round and round again - All within a 1 second window - no tbytes
transferred. From the above it looks as if the teardown is at my end.

Regards

Darren

"Darren Green" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>>>

>>
>> when you do a "show service-policy" are you seeing drops?
>>

> Brian,
>
> Appreciate the response.
>
> Please see output below:
>
> Errors I receive constantly:
>
> 6 Oct 14 2006 09:06:25 302014 X.X.X.X 172.28.1.6 Teardown TCP connection
> 6193 for
> outside:X.X.XX/3588 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP FINs
>
> 6 Oct 14 2006 09:06:25 302013 X.X.X.X 172.28.1.6 Built inbound TCP
> connection 6193 for outside:X.X.X.X/3588 (X.X.X.X/358 to
> DMZ:172.28.1.6/25
> (X.X.X.X/25)
>
> access-list outside line 4 extended permit tcp any host X.X.X.X eq smtp
> (hitcnt=4410)
>
> Global policy:
> Service-policy: global_policy
> Class-map: inspection_default
> Inspect: dns preset_dns_map, packet 669, drop 0, reset-drop 0
> Inspect: ftp, packet 240, drop 0, reset-drop 0
> Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
> Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
> Inspect: rsh, packet 0, drop 0, reset-drop 0
> Inspect: rtsp, packet 0, drop 0, reset-drop 0
> Inspect: sqlnet, packet 0, drop 0, reset-drop 0
> Inspect: skinny, packet 0, drop 0, reset-drop 0
> Inspect: sunrpc, packet 0, drop 0, reset-drop 0
> Inspect: xdmcp, packet 0, drop 0, reset-drop 0
> Inspect: sip, packet 0, drop 0, reset-drop 0
> Inspect: netbios, packet 8, drop 0, reset-drop 0
> Inspect: tftp, packet 0, drop 0, reset-drop 0
> Inspect: pptp, packet 0, drop 0, reset-drop 0
> Inspect: icmp, packet 126, drop 0, reset-drop 0
> Inspect: esmtp _default_esmtp_map, packet 13510, drop 0, reset-drop 0
>
> I have the enclosed line on my DMZ port also (NB This is 1 of several
> access-list entries for the DMZ):
>
> access-list dmz_access line 9 extended permit udp host 172.28.1.6 any eq
> domain (hitcnt=225) 0xf52b94ca
>
> This is the private address of the MailSweeper that I thought I would need
> to allow DNS for out onto the Internet with the satatic IP:
>
> static (DMZ,outside) X.X.X.X 172.28.1.6 netmask 255.255.255.255
>
> Regards
>
> Darren
>
>
>
>



 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      10-14-2006

"Darren Green" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Also done a packet capture with Ethereal, the packet sequence goes:
>
> Sending Mail Server - Syn
> MailSweeper- Syn Ack
> Sending Mail Server - Ack
> Mailsweeper - Fin, Ack
> Sending Mail Server - Fin, Ack
> Mailsweeper - Ack
>
> The round and round again - All within a 1 second window - no tbytes
> transferred. From the above it looks as if the teardown is at my end.
>
> Regards
>
> Darren
>
> "Darren Green" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>>>
>>>
>>> when you do a "show service-policy" are you seeing drops?
>>>

>> Brian,
>>
>> Appreciate the response.
>>
>> Please see output below:
>>
>> Errors I receive constantly:
>>
>> 6 Oct 14 2006 09:06:25 302014 X.X.X.X 172.28.1.6 Teardown TCP connection
>> 6193 for
>> outside:X.X.XX/3588 to DMZ:172.28.1.6/25 duration 0:00:00 bytes 0 TCP
>> FINs
>>
>> 6 Oct 14 2006 09:06:25 302013 X.X.X.X 172.28.1.6 Built inbound TCP
>> connection 6193 for outside:X.X.X.X/3588 (X.X.X.X/358 to
>> DMZ:172.28.1.6/25
>> (X.X.X.X/25)
>>
>> access-list outside line 4 extended permit tcp any host X.X.X.X eq smtp
>> (hitcnt=4410)
>>
>> Global policy:
>> Service-policy: global_policy
>> Class-map: inspection_default
>> Inspect: dns preset_dns_map, packet 669, drop 0, reset-drop 0
>> Inspect: ftp, packet 240, drop 0, reset-drop 0
>> Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
>> Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
>> Inspect: rsh, packet 0, drop 0, reset-drop 0
>> Inspect: rtsp, packet 0, drop 0, reset-drop 0
>> Inspect: sqlnet, packet 0, drop 0, reset-drop 0
>> Inspect: skinny, packet 0, drop 0, reset-drop 0
>> Inspect: sunrpc, packet 0, drop 0, reset-drop 0
>> Inspect: xdmcp, packet 0, drop 0, reset-drop 0
>> Inspect: sip, packet 0, drop 0, reset-drop 0
>> Inspect: netbios, packet 8, drop 0, reset-drop 0
>> Inspect: tftp, packet 0, drop 0, reset-drop 0
>> Inspect: pptp, packet 0, drop 0, reset-drop 0
>> Inspect: icmp, packet 126, drop 0, reset-drop 0
>> Inspect: esmtp _default_esmtp_map, packet 13510, drop 0, reset-drop
>> 0
>>
>> I have the enclosed line on my DMZ port also (NB This is 1 of several
>> access-list entries for the DMZ):
>>
>> access-list dmz_access line 9 extended permit udp host 172.28.1.6 any eq
>> domain (hitcnt=225) 0xf52b94ca
>>
>> This is the private address of the MailSweeper that I thought I would
>> need
>> to allow DNS for out onto the Internet with the satatic IP:
>>
>> static (DMZ,outside) X.X.X.X 172.28.1.6 netmask 255.255.255.255
>>
>> Regards
>>
>> Darren
>>


Can you post your full config? I'll take a look. While I do not believe it's
your inspects, the esmtp using a map is rather strange, typically it is only
DNS and h323 that use a map.

-Brian


 
Reply With Quote
 
Darren Green
Guest
Posts: n/a
 
      10-14-2006
>
> Can you post your full config? I'll take a look. While I do not believe
> it's your inspects, the esmtp using a map is rather strange, typically it
> is only DNS and h323 that use a map.
>
> -Brian

Brian,

Thanks again. Config enclosed.

I have pulled out some bits relating to various VPN's. I also pulled out a
couple of additional DMZ statics which had Global mappings - .29 & .30 are
my 2 x servers with .30, the Mailsweeper giving me the pain. The other bit
removed was a nonat_dmz access-list for a couple of other hosts that work
fine.

ASA Version 7.2(1)
!
hostname ASA
domain-name XYZ
enable password XXXXXXXXXXencrypted
names
dns-guard
!
interface Ethernet0/0
description Interface to Outside
speed 100
duplex full
nameif outside
security-level 0
ip address X.X.X.X.4 255.255.255.224 standby X.X.X.5
!
interface Ethernet0/1
description Interface To Private Network
speed 100
duplex full
nameif inside
security-level 100
ip address 172.29.1.6 255.255.255.0 standby 172.29.1.7
!
interface Ethernet0/2
description DMZ Port
speed 100
duplex full
nameif DMZ
security-level 50
ip address 172.28.1.1 255.255.255.0 standby 172.28.1.2
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description LAN Failover Interface
!
passwd XXXXXXXXXXXX encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name XXXXXXXXX
access-list outside extended permit tcp any host X.X.X.29 eq ftp
access-list outside extended permit tcp any host X.X.X.30 eq smtp
access-list outside extended permit tcp any host X.X.X.29 eq www
access-list dmz_access extended permit icmp host 172.28.1.3 any echo
access-list dmz_access extended permit icmp host 172.28.1.4 any echo
access-list dmz_access extended permit tcp host 172.28.1.6 host 10.0.0.9 eq
smtp
access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
access-list dmz_access extended permit udp host 172.28.1.6 any eq domain ( I
deed this yesterday)
access-list dmz_access extended permit tcp host 172.28.1.6 any eq smtp (I
believe I need this so that the MailSweeper can intiate a SMTP conn the
Internet)
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
failover
failover lan unit secondary
failover lan interface LAN_Failover Management0/0
failover key *****
failover replication http
failover interface ip LAN_Failover 172.29.2.1 255.255.255.252 standby
172.29.2.2
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonat_dmz
static (inside,outside) X.X.X.X.6 172.29.1.2 netmask 255.255.255.255
static (inside,outside) X.X.X.X.7 172.29.1.3 netmask 255.255.255.255
static (DMZ,outside) X.X.X.X.29 172.28.1.5 netmask 255.255.255.255
static (DMZ,outside) X.X.X.30 172.28.1.6 netmask 255.255.255.255
static (inside,DMZ) 10.0.0.2 10.0.0.2 netmask 255.255.255.255
static (inside,DMZ) 10.0.0.9 10.0.0.9 netmask 255.255.255.255
access-group outside in interface outside
access-group dmz_access in interface DMZ
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 10.0.0.0 255.0.0.0 172.29.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
no snmp-server enable
crypto ipsec transform-set set2 esp-3des esp-md5-hmac
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
crypto dynamic-map dynamap 20 set transform-set set1
crypto dynamic-map dynamap 40 set transform-set set1
crypto map vpn-traffic 20 match address XXXXXXXXX
crypto map vpn-traffic 20 set peer blah
crypto map vpn-traffic 20 set transform-set set1
crypto map vpn-traffic 30 match address XXXXXXXX
crypto map vpn-traffic 30 set peer blah
crypto map vpn-traffic 30 set transform-set set1
crypto map vpn-traffic 50 ipsec-isakmp dynamic dynamap
crypto map vpn-traffic interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 30
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp
inspect esmtp
!
service-policy global_policy global
ntp server XXXXXX source XXXXXXX
prompt hostname context


 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      10-14-2006

"Darren Green" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> >
>> Can you post your full config? I'll take a look. While I do not believe
>> it's your inspects, the esmtp using a map is rather strange, typically it
>> is only DNS and h323 that use a map.
>>
>> -Brian

> Brian,
>
> Thanks again. Config enclosed.
>
> I have pulled out some bits relating to various VPN's. I also pulled out a
> couple of additional DMZ statics which had Global mappings - .29 & .30 are
> my 2 x servers with .30, the Mailsweeper giving me the pain. The other bit
> removed was a nonat_dmz access-list for a couple of other hosts that work
> fine.
>
> ASA Version 7.2(1)
> !
> hostname ASA
> domain-name XYZ
> enable password XXXXXXXXXXencrypted
> names
> dns-guard
> !
> interface Ethernet0/0
> description Interface to Outside
> speed 100
> duplex full
> nameif outside
> security-level 0
> ip address X.X.X.X.4 255.255.255.224 standby X.X.X.5
> !
> interface Ethernet0/1
> description Interface To Private Network
> speed 100
> duplex full
> nameif inside
> security-level 100
> ip address 172.29.1.6 255.255.255.0 standby 172.29.1.7
> !
> interface Ethernet0/2
> description DMZ Port
> speed 100
> duplex full
> nameif DMZ
> security-level 50
> ip address 172.28.1.1 255.255.255.0 standby 172.28.1.2
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> description LAN Failover Interface
> !
> passwd XXXXXXXXXXXX encrypted
> ftp mode passive
> clock timezone GMT/BST 0
> clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
> dns server-group DefaultDNS
> domain-name XXXXXXXXX
> access-list outside extended permit tcp any host X.X.X.29 eq ftp
> access-list outside extended permit tcp any host X.X.X.30 eq smtp
> access-list outside extended permit tcp any host X.X.X.29 eq www
> access-list dmz_access extended permit icmp host 172.28.1.3 any echo
> access-list dmz_access extended permit icmp host 172.28.1.4 any echo
> access-list dmz_access extended permit tcp host 172.28.1.6 host 10.0.0.9
> eq smtp
> access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
> access-list dmz_access extended permit udp host 172.28.1.6 any eq domain
> ( I deed this yesterday)
> access-list dmz_access extended permit tcp host 172.28.1.6 any eq smtp (I
> believe I need this so that the MailSweeper can intiate a SMTP conn the
> Internet)
> pager lines 24
> logging enable
> logging buffered debugging
> logging asdm informational
> mtu outside 1500
> mtu inside 1500
> mtu DMZ 1500
> failover
> failover lan unit secondary
> failover lan interface LAN_Failover Management0/0
> failover key *****
> failover replication http
> failover interface ip LAN_Failover 172.29.2.1 255.255.255.252 standby
> 172.29.2.2
> asdm image disk0:/asdm521.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> global (DMZ) 1 interface
> nat (inside) 0 access-list nonat
> nat (inside) 1 0.0.0.0 0.0.0.0
> nat (DMZ) 0 access-list nonat_dmz
> static (inside,outside) X.X.X.X.6 172.29.1.2 netmask 255.255.255.255
> static (inside,outside) X.X.X.X.7 172.29.1.3 netmask 255.255.255.255
> static (DMZ,outside) X.X.X.X.29 172.28.1.5 netmask 255.255.255.255
> static (DMZ,outside) X.X.X.30 172.28.1.6 netmask 255.255.255.255
> static (inside,DMZ) 10.0.0.2 10.0.0.2 netmask 255.255.255.255
> static (inside,DMZ) 10.0.0.9 10.0.0.9 netmask 255.255.255.255
> access-group outside in interface outside
> access-group dmz_access in interface DMZ
> route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
> route inside 10.0.0.0 255.0.0.0 172.29.1.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> no snmp-server enable
> crypto ipsec transform-set set2 esp-3des esp-md5-hmac
> crypto ipsec transform-set set1 esp-3des esp-sha-hmac
> crypto dynamic-map dynamap 20 set transform-set set1
> crypto dynamic-map dynamap 40 set transform-set set1
> crypto map vpn-traffic 20 match address XXXXXXXXX
> crypto map vpn-traffic 20 set peer blah
> crypto map vpn-traffic 20 set transform-set set1
> crypto map vpn-traffic 30 match address XXXXXXXX
> crypto map vpn-traffic 30 set peer blah
> crypto map vpn-traffic 30 set transform-set set1
> crypto map vpn-traffic 50 ipsec-isakmp dynamic dynamap
> crypto map vpn-traffic interface outside
> crypto isakmp identity address
> crypto isakmp enable outside
> crypto isakmp policy 1
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400
> crypto isakmp policy 30
> authentication pre-share
> encryption aes-256
> hash sha
> group 5
> lifetime 86400
> crypto isakmp nat-traversal 30
> console timeout 0
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> inspect pptp
> inspect icmp
> inspect esmtp
> !
> service-policy global_policy global
> ntp server XXXXXX source XXXXXXX
> prompt hostname context
>
>


Few things to try...

1, Change your DNS inspect to use a 1500byte packet.
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500

2, I'm sure you just put this in for troubleshooting, but I don't like
seeing it there. It's a big security issue.
access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
Do:
no access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2 log

Once you have verified what ports it uses, tighten it down to those and
remove the permit ip statement.

3, Lets add a couple entires on your DMZ ACL. First we'll add a logging deny
to inside subnets to see if anything else is being hit. Then add a permit
any to see if it's perhaps a reverse communication back to the real world.
The machines on the DMZ now cannot go to the internet due to the missing
permit statements...this affects updates and 2 way communication between
outside sources.
access-list dmz_access extended deny ip any 172.29.1.0 255.255.255.0 log
access-list dmz_access extended deny ip any 10.0.0.0 255.0.0.0 log
access-list dmz_access extended permit ip any any

-Brian










 
Reply With Quote
 
Darren Green
Guest
Posts: n/a
 
      10-14-2006
>
> Few things to try...
>
> 1, Change your DNS inspect to use a 1500byte packet.
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 1500


Done
>
> 2, I'm sure you just put this in for troubleshooting, but I don't like
> seeing it there. It's a big security issue.
> access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
> Do:
> no access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
> access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
> log
>

Done, good point - I actually made a mistake here & should have know better.
Thank you for bringing this to my attention.

> Once you have verified what ports it uses, tighten it down to those and
> remove the permit ip statement.
>

Will do

> 3, Lets add a couple entires on your DMZ ACL. First we'll add a logging
> deny to inside subnets to see if anything else is being hit. Then add a
> permit any to see if it's perhaps a reverse communication back to the real
> world. The machines on the DMZ now cannot go to the internet due to the
> missing permit statements...this affects updates and 2 way communication
> between outside sources.
> access-list dmz_access extended deny ip any 172.29.1.0 255.255.255.0 log
> access-list dmz_access extended deny ip any 10.0.0.0 255.0.0.0 log
> access-list dmz_access extended permit ip any any
>
> -Brian
>

Brian,

Again, thank you for taking all this time to help me with this, really
appreciated.

Can I clarify point (3).

I can see the reason to put this access-list entry on here, but would you
mind clarifying why the machines on the DMZ will not being able to get out
to the Internet ? If I have 1: 1 static translations for .5 & .6 from the
DMZ to the outside surely they will be able to hit the Internet won't they ?

Can I also confirm that the above 3 x lines for dmz_access are to go at the
end of the access-list ?

The inside network of the PIX is 172.29.1.0/24 and it reaches 10.0.0.0 /8
via 172.29.1.1.

Regards

Darren


 
Reply With Quote
 
Brian V
Guest
Posts: n/a
 
      10-15-2006

"Darren Green" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> >
>> Few things to try...
>>
>> 1, Change your DNS inspect to use a 1500byte packet.
>> policy-map type inspect dns preset_dns_map
>> parameters
>> message-length maximum 1500

>
> Done
>>
>> 2, I'm sure you just put this in for troubleshooting, but I don't like
>> seeing it there. It's a big security issue.
>> access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
>> Do:
>> no access-list dmz_access extended permit ip host 172.28.1.5 host
>> 10.0.0.2
>> access-list dmz_access extended permit ip host 172.28.1.5 host 10.0.0.2
>> log
>>

> Done, good point - I actually made a mistake here & should have know
> better. Thank you for bringing this to my attention.
>
>> Once you have verified what ports it uses, tighten it down to those and
>> remove the permit ip statement.
>>

> Will do
>
>> 3, Lets add a couple entires on your DMZ ACL. First we'll add a logging
>> deny to inside subnets to see if anything else is being hit. Then add a
>> permit any to see if it's perhaps a reverse communication back to the
>> real world. The machines on the DMZ now cannot go to the internet due to
>> the missing permit statements...this affects updates and 2 way
>> communication between outside sources.
>> access-list dmz_access extended deny ip any 172.29.1.0 255.255.255.0 log
>> access-list dmz_access extended deny ip any 10.0.0.0 255.0.0.0 log
>> access-list dmz_access extended permit ip any any
>>
>> -Brian
>>

> Brian,
>
> Again, thank you for taking all this time to help me with this, really
> appreciated.
>
> Can I clarify point (3).
>
> I can see the reason to put this access-list entry on here, but would you
> mind clarifying why the machines on the DMZ will not being able to get out
> to the Internet ? If I have 1: 1 static translations for .5 & .6 from the
> DMZ to the outside surely they will be able to hit the Internet won't they
> ?
>
> Can I also confirm that the above 3 x lines for dmz_access are to go at
> the end of the access-list ?
>
> The inside network of the PIX is 172.29.1.0/24 and it reaches 10.0.0.0 /8
> via 172.29.1.1.
>
> Regards
>
> Darren
>


Hi Darren,

By default higher security interfaces can always talk to lower security
interfaces UNTIL an access list is applied to the interface. On the bottom
of all access lists is a deny ip any any, you can't see it, you don't add
it, it's simply there, it's called an implicit deny. In the case of a DMZ
acl you permit the sevices you want to permit to the inside, deny everything
else to the inside, deny anything else then permit everything to the real
world. With your current DMZ ACL those machines on the DMZ cannot go to the
web or even do a public DNS lookups due to the implicit deny. If the
Mailsweeper is doing reverse lookups it would fail as it cannot get to the
internet.

The statics don't tell it that it can go to the internet, they simply
tell it who they are. The ACL is what controls where they can go.

Yes, the entries I gave you should go at the bottom of the DMZ ACL. You
need to keep this in mind when adding permited services to the inside from
the DMZ, they need to go above the deny any to the inside IP's. This only
applies to a DMZ ACL, you would never use this on an outside ACL. On an
outside ACL we want the implicit deny there as we only want to allow
specific services in from the real world. Always build a DMZ ACL in this
order:
permited services to the inside
deny everything else to the inside
deny anything else you want to deny
permit everything to the world

You can actually insert lines wherever you like in to an ACL. There is
no reason to remove it to add other permits. When you use the command "show
access-list" it will show you your ACL and will have line numbers in there.
Example:
show access-list
access-list DMZ line 1 extended permit icmp any any echo-reply
(hitcnt=43739) 0x92a1d35a
access-list DMZ line 2 extended permit icmp any any time-exceeded
(hitcnt=247) 0x83d4ea4f
access-list DMZ line 3 extended permit tcp host X.X.X.X host X.X.X.X eq
domain (hitcnt=70) 0x499324c7
access-list DMZ line 4 extended permit udp host X.X.X.X host X.X.X.X eq
domain (hitcnt=9367 0x1a2a5165

If I wanted to add a statement between lines 1 and 2 I would add
access-list DMZ line 2 extended permit <tcp or udp> <source> <destination>
eq <port>

This would insert it above line 2 and below line 1. The new ACL would
look like:
access-list DMZ line 1 extended permit icmp any any echo-reply
(hitcnt=43739) 0x92a1d35a
access-list DMZ line 2 extended permit <tcp or udp> <source> <destination>
eq <port>
access-list DMZ line 3 extended permit icmp any any time-exceeded
(hitcnt=247) 0x83d4ea4f
access-list DMZ line 4 extended permit tcp host X.X.X.X host X.X.X.X eq
domain (hitcnt=70) 0x499324c7
access-list DMZ line 5 extended permit udp host X.X.X.X host X.X.X.X eq
domain (hitcnt=9367 0x1a2a5165

-Brian


 
Reply With Quote
 
Darren Green
Guest
Posts: n/a
 
      10-15-2006
>
> Hi Darren,
>
> By default higher security interfaces can always talk to lower security
> interfaces UNTIL an access list is applied to the interface. On the bottom
> of all access lists is a deny ip any any, you can't see it, you don't add
> it, it's simply there, it's called an implicit deny. In the case of a DMZ
> acl you permit the sevices you want to permit to the inside, deny
> everything else to the inside, deny anything else then permit everything
> to the real world. With your current DMZ ACL those machines on the DMZ
> cannot go to the web or even do a public DNS lookups due to the implicit
> deny. If the Mailsweeper is doing reverse lookups it would fail as it
> cannot get to the internet.
>
> The statics don't tell it that it can go to the internet, they simply
> tell it who they are. The ACL is what controls where they can go.
>
> Yes, the entries I gave you should go at the bottom of the DMZ ACL. You
> need to keep this in mind when adding permited services to the inside from
> the DMZ, they need to go above the deny any to the inside IP's. This only
> applies to a DMZ ACL, you would never use this on an outside ACL. On an
> outside ACL we want the implicit deny there as we only want to allow
> specific services in from the real world. Always build a DMZ ACL in this
> order:
> permited services to the inside
> deny everything else to the inside
> deny anything else you want to deny
> permit everything to the world
>
> You can actually insert lines wherever you like in to an ACL. There is
> no reason to remove it to add other permits. When you use the command
> "show access-list" it will show you your ACL and will have line numbers in
> there. Example:
> show access-list
> access-list DMZ line 1 extended permit icmp any any echo-reply
> (hitcnt=43739) 0x92a1d35a
> access-list DMZ line 2 extended permit icmp any any time-exceeded
> (hitcnt=247) 0x83d4ea4f
> access-list DMZ line 3 extended permit tcp host X.X.X.X host X.X.X.X eq
> domain (hitcnt=70) 0x499324c7
> access-list DMZ line 4 extended permit udp host X.X.X.X host X.X.X.X eq
> domain (hitcnt=9367 0x1a2a5165
>
> If I wanted to add a statement between lines 1 and 2 I would add
> access-list DMZ line 2 extended permit <tcp or udp> <source> <destination>
> eq <port>
>
> This would insert it above line 2 and below line 1. The new ACL would
> look like:
> access-list DMZ line 1 extended permit icmp any any echo-reply
> (hitcnt=43739) 0x92a1d35a
> access-list DMZ line 2 extended permit <tcp or udp> <source> <destination>
> eq <port>
> access-list DMZ line 3 extended permit icmp any any time-exceeded
> (hitcnt=247) 0x83d4ea4f
> access-list DMZ line 4 extended permit tcp host X.X.X.X host X.X.X.X eq
> domain (hitcnt=70) 0x499324c7
> access-list DMZ line 5 extended permit udp host X.X.X.X host X.X.X.X eq
> domain (hitcnt=9367 0x1a2a5165
>
> -Brian
>
>

Brian,

Thanks for clearing that up, this all makes sense.

I am going to apply the above and see what the buffer logs tell me later
today. I will post a follow up once I have some info.

Regards

Darren


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection? morten Cisco 4 09-04-2007 01:48 PM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
how to config 515-e-dmz dmz routes & ACL? JohnC Cisco 9 12-07-2004 09:14 AM
PIX: Inbound http fails to bring up a web page from server in DMZ; PIX logs shows : J Bard Cisco 0 01-09-2004 04:24 AM



Advertisments