|
Posted by Bob Simon on April 30, 2008, 4:18 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Bob Simon wrote:
>> wrote:
>>
>>> Bob Simon wrote:
>>>> I have an access list applied inbound on the outside interface of a
>>>> 2600 connected to the edge router. I found that I needed smtp ACEs
>>>> for both the source port and for the destination port to our exchange
>>>> server.
>>>> 50 permit tcp any eq smtp host 192.168.0.20 (99012 matches)
>>> Matching SMTP exchanges with external SMTP servers (source port 25).
>>> This ACE would not match clients (source port >1023).
>>>
>>>> 60 permit tcp any host 192.168.0.20 eq smtp log (880 matches)
>>> This ACE currently matches clients (destination port 25). Servers were
>>> matched on the previous ACE.
>>>
>>> If you eliminate ACE # 50, clients and servers would match ACE # 60.
>>
>> Are you saying that the way servers assign the tcp ports is different
>> from the way clients assign the tcp ports?
>
>No, I don't think I have suggested that.
>
>>
>> I thought that in either case, the host that initiates the session
>> uses a random source port and a well known destination port with
>> return packets coming back to the well known source port and a
>> destination port matching the originating packet.
>
>The original source port becomes the destination port on the return
>path, and visa versa.
>
>You need to understand the operational behavior of the protocols you are
>using. Source ports are NOT always random.
>
>e.g.: A Windows client initiates an NTP (or perhaps SNTP) connection to
>an NTP server on the router:
>
>The host uses a "source port >1023", and a destination port of 123.
>
>A Cisco switch initiates an NTP connection to an NTP server on the router:
>
>The switch uses a "source port of 123", and a destination port of 123.
>
>
>I was suggesting:
>
>* That an external SMTP server initiating a connection to your server
>would likely be using TCP source port 25 which matches your ACE #50
>(permit tcp any eq smtp host 192.168.0.20).
>
>* That an external SMTP client initiating a connection to your server
>would be using TCP source port >1023, and would NOT match ACE #50
>because you have specified the TCP source port 25 (smtp) requirement.
>
>* That Both of the prior described connection attempts would match ACE
>#60 (permit tcp any host 192.168.0.20 eq smtp log) because "only" the
>TCP destination port 25 (smtp) has been specified in the ACE, and is
>common to both connection attempts. However, because inbound connections
>from SMTP servers matched ACE #50, the packets are forwarded without
>being compared to ACE #60.
>
>Since ACE #60 would match both connection types, you could eliminate ACE
>#50.
>
>Best Regards,
>News Reader
My "show run" from yesterday morning includes:
access-list 102 permit tcp any host 192.168.0.20 eq smtp
which is part of an ACL applied to the outside interface inbound.
Can you come up with an explanation for why this did not work?
The customers called me because they were not getting their mail so I
added the other ACE with source port eq smtp. If I placed the new
statement AFTER the old statement would it have received no hits?
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map