SMTP and tcp ports
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Posted by Bob Simon on April 30, 2008, 11:44 am
Please log in for more thread options 2600 connected to the edge router. I found that I needed smtp ACEs for both the source port and for the destination port to our exchange server. 50 permit tcp any eq smtp host 192.168.0.20 (99012 matches) 60 permit tcp any host 192.168.0.20 eq smtp log (880 matches) Why is this? I thought inbound traffic to the server would be on random destination ports allocated by PAT on the edge router; no? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Posted by News Reader on April 30, 2008, 12:04 pm
Please log in for more thread options Matching SMTP exchanges with external SMTP servers (source port 25). This ACE would not match clients (source port >1023).
> 60 permit tcp any host 192.168.0.20 eq smtp log (880 matches)
This ACE currently matches clients (destination port 25). Servers were matched on the previous ACE. If you eliminate ACE # 50, clients and servers would match ACE # 60. >
> Why is this? I thought inbound traffic to the server would be on > random destination ports allocated by PAT on the edge router; no? Best Regards, News Reader | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Posted by Bob Simon on April 30, 2008, 2:25 pm
Please log in for more thread options wrote:
>Bob Simon wrote:
>> I have an access list applied inbound on the outside interface of a
>> 2600 connected to the edge router. I found that I needed smtp ACEs >> for both the source port and for the destination port to our exchange >> server. >> 50 permit tcp any eq smtp host 192.168.0.20 (99012 matches) >
>Matching SMTP exchanges with external SMTP servers (source port 25). >This ACE would not match clients (source port >1023). > >> 60 permit tcp any host 192.168.0.20 eq smtp log (880 matches)
>
>This ACE currently matches clients (destination port 25). Servers were >matched on the previous ACE. > >If you eliminate ACE # 50, clients and servers would match ACE # 60. Are you saying that the way servers assign the tcp ports is different from the way clients assign the tcp ports? I thought that in either case, the host that initiates the session uses a random source port and a well known destination port with return packets coming back to the well known source port and a destination port matching the originating packet. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Posted by News Reader on April 30, 2008, 3:30 pm
Please log in for more thread options Bob Simon wrote:
> wrote:
> >> Bob Simon wrote:
>>> I have an access list applied inbound on the outside interface of a
>>> 2600 connected to the edge router. I found that I needed smtp ACEs >>> for both the source port and for the destination port to our exchange >>> server. >>> 50 permit tcp any eq smtp host 192.168.0.20 (99012 matches) >> Matching SMTP exchanges with external SMTP servers (source port 25).
>> This ACE would not match clients (source port >1023). >> >>> 60 permit tcp any host 192.168.0.20 eq smtp log (880 matches)
>> This ACE currently matches clients (destination port 25). Servers were
>> matched on the previous ACE. >> >> If you eliminate ACE # 50, clients and servers would match ACE # 60. >
> Are you saying that the way servers assign the tcp ports is different > from the way clients assign the tcp ports? No, I don't think I have suggested that. >
> I thought that in either case, the host that initiates the session > uses a random source port and a well known destination port with > return packets coming back to the well known source port and a > destination port matching the originating packet. The original source port becomes the destination port on the return path, and visa versa. You need to understand the operational behavior of the protocols you are using. Source ports are NOT always random. e.g.: A Windows client initiates an NTP (or perhaps SNTP) connection to an NTP server on the router: The host uses a "source port >1023", and a destination port of 123.
A Cisco switch initiates an NTP connection to an NTP server on the router: The switch uses a "source port of 123", and a destination port of 123. I was suggesting: * That an external SMTP server initiating a connection to your server would likely be using TCP source port 25 which matches your ACE #50 (permit tcp any eq smtp host 192.168.0.20). * That an external SMTP client initiating a connection to your server would be using TCP source port >1023, and would NOT match ACE #50
because you have specified the TCP source port 25 (smtp) requirement.
* That Both of the prior described connection attempts would match ACE #60 (permit tcp any host 192.168.0.20 eq smtp log) because "only" the TCP destination port 25 (smtp) has been specified in the ACE, and is common to both connection attempts. However, because inbound connections from SMTP servers matched ACE #50, the packets are forwarded without being compared to ACE #60. Since ACE #60 would match both connection types, you could eliminate ACE #50. Best Regards, News Reader | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Posted by Bob Simon on April 30, 2008, 4:18 pm
Please log in for more thread options wrote:
>Bob Simon wrote:
>> wrote:
>> >>> Bob Simon wrote:
>>>> I have an access list applied inbound on the outside interface of a >>>> 2600 connected to the edge router. I found that I needed smtp ACEs >>>> for both the source port and for the destination port to our exchange >>>> server. >>>> 50 permit tcp any eq smtp host 192.168.0.20 (99012 matches) >>> Matching SMTP exchanges with external SMTP servers (source port 25). >>> This ACE would not match clients (source port >1023). >>> >>>> 60 permit tcp any host 192.168.0.20 eq smtp log (880 matches) >>> This ACE currently matches clients (destination port 25). Servers were >>> matched on the previous ACE. >>> >>> If you eliminate ACE # 50, clients and servers would match ACE # 60. >>
>> Are you saying that the way servers assign the tcp ports is different >> from the way clients assign the tcp ports? >
>No, I don't think I have suggested that. > >>
>> I thought that in either case, the host that initiates the session >> uses a random source port and a well known destination port with >> return packets coming back to the well known source port and a >> destination port matching the originating packet. >
>The original source port becomes the destination port on the return >path, and visa versa. > >You need to understand the operational behavior of the protocols you are >using. Source ports are NOT always random. > >e.g.: A Windows client initiates an NTP (or perhaps SNTP) connection to >an NTP server on the router: > >The host uses a "source port >1023", and a destination port of 123. > >A Cisco switch initiates an NTP connection to an NTP server on the router: > >The switch uses a "source port of 123", and a destination port of 123. > > >I was suggesting: > >* That an external SMTP server initiating a connection to your server >would likely be using TCP source port 25 which matches your ACE #50 >(permit tcp any eq smtp host 192.168.0.20). > >* That an external SMTP client initiating a connection to your server >would be using TCP source port >1023, and would NOT match ACE #50 >because you have specified the TCP source port 25 (smtp) requirement. > >* That Both of the prior described connection attempts would match ACE >#60 (permit tcp any host 192.168.0.20 eq smtp log) because "only" the >TCP destination port 25 (smtp) has been specified in the ACE, and is >common to both connection attempts. However, because inbound connections >from SMTP servers matched ACE #50, the packets are forwarded without >being compared to ACE #60. > >Since ACE #60 would match both connection types, you could eliminate ACE >#50. > >Best Regards, >News Reader My "show run" from yesterday morning includes: access-list 102 permit tcp any host 192.168.0.20 eq smtp which is part of an ACL applied to the outside interface inbound. Can you come up with an explanation for why this did not work? The customers called me because they were not getting their mail so I added the other ACE with source port eq smtp. If I placed the new statement AFTER the old statement would it have received no hits? | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Similar Threads | Posted |
| SMTP and tcp ports | April 30, 2008, 11:44 am |
| close ports and limit port smtp | August 21, 2006, 9:52 am |
| PIX / SMTP question - Help? | January 5, 2006, 10:04 am |
| PIX firewall 6.3 and SMTP | February 22, 2007, 6:37 pm |
| Pix 506 - Fixup SMTP | August 26, 2008, 5:30 am |
| Blocking SMTP traffic | February 1, 2007, 5:22 am |
| Problems with pix firewall and SMTP | May 17, 2007, 11:59 am |
| ASA 5505 problem with smtp | May 5, 2008, 8:42 am |
| limit SMTP connection time | May 25, 2006, 10:50 am |
| Pix translates SMTP connect messages into "****" | June 23, 2006, 3:51 pm |
| Cisco PIX MailGuard and SMTP Banner | August 17, 2006, 12:16 pm |
| SMTP traffic getting through router and firewall | September 14, 2006, 2:53 pm |
| Access to a intern WWW/SMTP Server | December 4, 2007, 7:57 am |
| Cisco PIX 525 SMTP inspection problem | October 9, 2008, 4:04 pm |
| Access List to Block Outgoing SMTP on PIX | December 1, 2005, 11:15 am |
> 2600 connected to the edge router. I found that I needed smtp ACEs
> for both the source port and for the destination port to our exchange
> server.
> 50 permit tcp any eq smtp host 192.168.0.20 (99012 matches)