安全 : Cisco IOS 防火墙

SMTP和ESMTP与Cisco IOS防火墙配置示例的连接检查配置示例

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 22 日) | 反馈


目录


简介

使用Cisco IOS在Cisco IOS的防火墙本文为入站简单邮件传输协议(SMTP)或Extended Simple Mail Transfer Protocol (ESMTP)连接的检查提供一配置示例。这种检查类似于在 Cisco PIX 500 系列安全设备中的邮箱保护功能。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco IOS 软件版本 12.3(4)T 或更高版本

  • Cisco 3640 路由器

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

规则

有关文档规则的详细信息,请参阅 Cisco 技术提示规则

背景信息

SMTP 检查导致 SMTP 命令受到非法命令检查。将具有非法命令的数据包修改为“xxxx”模式并转发到服务器。此过程导致服务器发送否定回复,这会强制客户端发出有效命令。非法 SMTP 命令是除以下命令以外的其他命令:

  • 数据
  • 直升机
  • 帮助
  • MAIL
  • NOOP
  • 离开
  • RCPT
  • R装置
  • SAML
  • 发送
  • SOML
  • VRFY

ESMTP 检查与 SMTP 检查的运行方式相同。将具有非法命令的数据包修改为“xxxx”模式并转发到服务器,这会触发否定回复。非法 ESMTP 命令是除以下命令以外的其他命令:

  • AUTH
  • 数据
  • EHLO
  • ETRN
  • 直升机
  • 帮助
  • 帮助
  • MAIL
  • NOOP
  • 离开
  • RCPT
  • R装置
  • SAML
  • 发送
  • SOML
  • VRFY

ESMTP 检查也通过更深的命令检查检查这些扩展:

  • 消息大小声明 (SIZE)

  • 处理声明的远程队列 (ETRN)

  • 二进制 MIME (BINARYMIME)

  • 命令管道传输

  • 验证

  • 传送状态通知 (DSN)

  • 增强状态代码 (ENHANCEDSTATUSCODE)

  • 8 位 MIMEtransport (8BITMIME)

注意: SMTP 和 ESMTP 检查无法同时配置。尝试配置两者会导致出现错误消息。

注意: 在 Cisco IOS 软件版本 12.3(4)T 和更新版本中,Cisco IOS 防火墙不再创建动态访问列表条目以允许数据流通过。Cisco IOS 防火墙现在维护会话状态表以控制检查连接的安全。

配置

本部分提供有关如何配置本文档所述功能的信息。

注意: 使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

本文档使用以下网络设置:

/image/gif/paws/69309/smtp-esmtp-cbac-1.gif

配置

本文档使用以下配置:

3640路由器
3640-123#show running-config
Building configuration...

Current configuration : 1432 bytes
!
version 12.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 3640-123
!
boot-start-marker
boot-end-marker
!
enable password 7 02050D4808095E731F
!
no aaa new-model
!
resource policy
!
voice-card 3
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!

!--- This is the Cisco IOS Firewall configuration.


!--- IN-OUT is the inspection rule for traffic that flows
!--- from the inside interface of the router to the outside interface.

ip inspect name IN-OUT tcp
ip inspect name IN-OUT udp
ip inspect name IN-OUT ftp
ip inspect name IN-OUT http
ip inspect name IN-OUT icmp


!--- OUT-IN is the inspection rule for traffic that flows
!--- from the outside interface of the router to the inside interface.
!--- This rule is where SMTP/ESMTP inspection is specified.

ip inspect name OUT-IN smtp
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
controller T1 3/0
 framing sf
 linecode ami
!
!
!
!
!

!--- The outside interface.

interface Ethernet2/0
 ip address 172.22.1.16 255.255.255.0


!--- Apply the access list to permit SMTP/ESMTP connections
!--- to the mail server. This also allows Cisco IOS Firewall
!--- to inspect SMTP or ESMTP commands.

 ip access-group 101 in
 ip nat outside


!--- Apply the inspection rule OUT-IN inbound on this interface.  This is
!--- the rule that defines SMTP/ESMTP inspection.

 ip inspect OUT-IN in
 ip virtual-reassembly
 half-duplex
!
interface Serial2/0
 no ip address
 shutdown
!

!--- The inside interface.

interface Ethernet2/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside


!--- Apply the inspection rule IN-OUT inbound on this interface.

 ip inspect IN-OUT in
 ip virtual-reassembly
 half-duplex
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.1.1
!
!

!--- The static translation for the mail server.

ip nat inside source static 10.10.10.2 172.22.1.110
ip nat inside source static 10.10.10.5 172.22.1.111
!

!--- The access list to permit SMTP and ESMTP to the mail server.
!--- Cisco IOS Firewall inspects permitted traffic.

access-list 101 permit tcp any host 172.22.1.110 eq smtp
!
!
!
control-plane
!
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
!
voice-port 1/1/1
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 121A0C0411045D5679
 login
!
!
end

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

  • show ip inspect all — 验证 Cisco IOS 防火墙检查规则配置及其在接口的应用。

    3640-123#show ip inspect all
    Session audit trail is disabled
    Session alert is enabled
    one-minute (sampling period) thresholds are [400:500] connections
    max-incomplete sessions thresholds are [400:500]
    max-incomplete tcp connections per host is 50. Block-time 0 minute.
    tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
    tcp idle-time is 3600 sec -- udp idle-time is 30 sec
    dns-timeout is 5 sec
    Inspection Rule Configuration
     Inspection name IN-OUT
        tcp alert is on audit-trail is off timeout 3600
        udp alert is on audit-trail is off timeout 30
        ftp alert is on audit-trail is off timeout 3600
        http alert is on audit-trail is off timeout 3600
        icmp alert is on audit-trail is off timeout 10
     Inspection name OUT-IN
        smtp max-data 20000000 alert is on audit-trail is off timeout 3600
    
    Interface Configuration
     Interface Ethernet2/1
      Inbound inspection rule is IN-OUT
        tcp alert is on audit-trail is off timeout 3600
        udp alert is on audit-trail is off timeout 30
        ftp alert is on audit-trail is off timeout 3600
        http alert is on audit-trail is off timeout 3600
        icmp alert is on audit-trail is off timeout 10
      Outgoing inspection rule is not set
      Inbound access list is not set
      Outgoing access list is not set
     Interface Ethernet2/0
      Inbound inspection rule is OUT-IN
        smtp max-data 20000000 alert is on audit-trail is off timeout 3600
      Outgoing inspection rule is not set
      Inbound access list is 101
      Outgoing access list is not set
  • debug ip inspect smtp — 显示有关 Cisco IOS 防火墙 SMTP 检查事件的消息。

    注意: 使用 debug 命令之前,请参阅有关 Debug 命令的重要信息

    ausnml-3600-02#debug ip inspect smtp
    INSPECT SMTP Inspection debugging is on
    ausnml-3600-02#
    *Oct 18 21:51:35.886: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:51:35.886: CBAC SMTP: OTHER REPLY - Reply len: 64, match_len:64, reply_re_state:18
    *Oct 18 21:51:35.886: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:51:35.886: CBAC SMTP: OTHER REPLY match id:10
    *Oct 18 21:51:35.886: CBAC SMTP: End Of Reply Line - index:0 ,len:64
    
    
    !--- The client issues a command.
    
    *Oct 18 21:51:40.810: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:9
    *Oct 18 21:51:40.994: CBAC SMTP: VERB - Cmd len:2, match_len:1, cmd_re_state:24
    *Oct 18 21:51:41.190: CBAC SMTP: VERB - Cmd len:3, match_len:1, cmd_re_state:40
    *Oct 18 21:51:41.390: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:56
    *Oct 18 21:51:41.390: CBAC SMTP: VERB - match id:5
    *Oct 18 21:51:42.046: CBAC SMTP: CMD PARAM - Cmd len:5, match_len:1, cmd_re_state:7
    *Oct 18 21:51:43.462: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:1, cmd_re_state:2
    *Oct 18 21:51:43.594: CBAC SMTP: CMD PARAM - Cmd len:7, match_len:1, cmd_re_state:2
    *Oct 18 21:51:43.794: CBAC SMTP: CMD PARAM - Cmd len:9, match_len:2, cmd_re_state:2
    *Oct 18 21:51:43.994: CBAC SMTP: CMD PARAM - Cmd len:10, match_len:1, cmd_re_state:2
    *Oct 18 21:51:44.194: CBAC SMTP: CMD PARAM - Cmd len:12, match_len:2, cmd_re_state:3
    *Oct 18 21:51:44.194: CBAC SMTP: CMD PARAM - match id:6
    *Oct 18 21:51:44.194: CBAC SMTP: End Of Command Line - index:1, len:12
    
    
    !--- The server replies.
    
    *Oct 18 21:51:44.198: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:51:44.198: CBAC SMTP: OTHER REPLY - Reply len: 11, match_len:11, reply_re_state:18
    *Oct 18 21:51:44.198: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:51:44.198: CBAC SMTP: OTHER REPLY match id:10
    *Oct 18 21:51:44.198: CBAC SMTP: End Of Reply Line - index:1 ,len:11
    
    
    !--- The client issues a command.
    
    *Oct 18 21:51:49.482: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:3
    *Oct 18 21:51:50.222: CBAC SMTP: VERB - Cmd len:2, match_len:1, cmd_re_state:15
    *Oct 18 21:51:50.618: CBAC SMTP: VERB - Cmd len:3, match_len:1, cmd_re_state:31
    *Oct 18 21:51:50.954: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:46
    *Oct 18 21:51:50.954: CBAC SMTP: VERB - match id:15
    *Oct 18 21:51:51.642: CBAC SMTP: CMD PARAM - Cmd len:5, match_len:1, cmd_re_state:7
    *Oct 18 21:51:51.914: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:1, cmd_re_state:2
    *Oct 18 21:51:52.106: CBAC SMTP: CMD PARAM - Cmd len:7, match_len:1, cmd_re_state:2
    *Oct 18 21:51:54.754: CBAC SMTP: CMD PARAM - Cmd len:8, match_len:1, cmd_re_state:4
    *Oct 18 21:51:55.098: CBAC SMTP: CMD PARAM - Cmd len:9, match_len:1, cmd_re_state:2
    *Oct 18 21:51:55.322: CBAC SMTP: CMD PARAM - Cmd len:11, match_len:2, cmd_re_state:3
    *Oct 18 21:51:55.322: CBAC SMTP: CMD PARAM - match id:6
    *Oct 18 21:51:55.322: CBAC SMTP: End Of Command Line - index:2, len:11
    
    
    !--- The server replies.
    
    *Oct 18 21:51:55.326: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:51:55.326: CBAC SMTP: OTHER REPLY - Reply len: 19, match_len:19, reply_re_state:3
    *Oct 18 21:51:55.326: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:51:55.326: CBAC SMTP: End Of Reply Line - index:2 ,len:19
    
    *Oct 18 21:51:57.070: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:3
    *Oct 18 21:51:57.402: CBAC SMTP: VERB - Cmd len:2, match_len:1, cmd_re_state:15
    *Oct 18 21:51:58.162: CBAC SMTP: VERB - Cmd len:3, match_len:1, cmd_re_state:31
    *Oct 18 21:51:58.462: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:46
    *Oct 18 21:51:58.466: CBAC SMTP: VERB - match id:15
    *Oct 18 21:51:58.746: CBAC SMTP: CMD PARAM - Cmd len:5, match_len:1, cmd_re_state:7
    *Oct 18 21:51:59.006: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:1, cmd_re_state:2
    *Oct 18 21:51:59.234: CBAC SMTP: CMD PARAM - Cmd len:7, match_len:1, cmd_re_state:2
    *Oct 18 21:51:59.418: CBAC SMTP: CMD PARAM - Cmd len:9, match_len:2, cmd_re_state:2
    *Oct 18 21:51:59.618: CBAC SMTP: CMD PARAM - Cmd len:10, match_len:1, cmd_re_state:2
    *Oct 18 21:51:59.818: CBAC SMTP: CMD PARAM - Cmd len:12, match_len:2, cmd_re_state:3
    *Oct 18 21:51:59.818: CBAC SMTP: CMD PARAM - match id:6
    *Oct 18 21:51:59.818: CBAC SMTP: End Of Command Line - index:3, len:12
    
    *Oct 18 21:51:59.818: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:51:59.818: CBAC SMTP: OTHER REPLY - Reply len: 19, match_len:19, reply_re_state:3
    *Oct 18 21:51:59.822: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:51:59.822: CBAC SMTP: End Of Reply Line - index:3 ,len:19
    
    *Oct 18 21:52:04.974: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:9
    *Oct 18 21:52:05.170: CBAC SMTP: VERB - Cmd len:2, match_len:1, cmd_re_state:24
    *Oct 18 21:52:05.326: CBAC SMTP: VERB - Cmd len:3, match_len:1, cmd_re_state:40
    *Oct 18 21:52:05.526: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:55
    *Oct 18 21:52:05.526: CBAC SMTP: VERB - match id:6
    *Oct 18 21:52:05.742: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:2, cmd_re_state:3
    *Oct 18 21:52:05.742: CBAC SMTP: CMD PARAM - match id:6
    *Oct 18 21:52:05.742: CBAC SMTP: End Of Command Line - index:4, len:6
    
    *Oct 18 21:52:05.746: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY - Reply len: 54, match_len:54, reply_re_state:3
    *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.746: CBAC SMTP: End Of Reply Line - index:4 ,len:54
    
    *Oct 18 21:52:05.746: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY - Reply len: 15, match_len:15, reply_re_state:3
    *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.746: CBAC SMTP: End Of Reply Line - index:5 ,len:15
    
    *Oct 18 21:52:05.746: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY - Reply len: 15, match_len:15, reply_re_state:3
    *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.746: CBAC SMTP: End Of Reply Line - index:6 ,len:15
    
    *Oct 18 21:52:05.746: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY - Reply len: 6, match_len:6, reply_re_state:3
    *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.750: CBAC SMTP: End Of Reply Line - index:7 ,len:6
    
    *Oct 18 21:52:05.750: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY - Reply len: 19, match_len:19, reply_re_state:3
    *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.750: CBAC SMTP: End Of Reply Line - index:8 ,len:19
    
    *Oct 18 21:52:05.750: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY - Reply len: 17, match_len:17, reply_re_state:3
    *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.750: CBAC SMTP: End Of Reply Line - index:9 ,len:17
    
    *Oct 18 21:52:05.750: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY - Reply len: 6, match_len:6, reply_re_state:3
    *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.754: CBAC SMTP: End Of Reply Line - index:10 ,len:6
    
    *Oct 18 21:52:05.754: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY - Reply len: 6, match_len:6, reply_re_state:3
    *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.754: CBAC SMTP: End Of Reply Line - index:11 ,len:6
    
    *Oct 18 21:52:05.754: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY - Reply len: 6, match_len:6, reply_re_state:3
    *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.754: CBAC SMTP: End Of Reply Line - index:12 ,len:6
    
    *Oct 18 21:52:05.754: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY - Reply len: 3, match_len:3, reply_re_state:3
    *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:05.754: CBAC SMTP: End Of Reply Line - index:13 ,len:3
    
    *Oct 18 21:52:15.646: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:6
    *Oct 18 21:52:15.838: CBAC SMTP: VERB - Cmd len:3, match_len:2, cmd_re_state:37
    *Oct 18 21:52:16.206: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:52
    *Oct 18 21:52:16.206: CBAC SMTP: VERB - match id:9
    *Oct 18 21:52:18.954: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:2, cmd_re_state:3
    *Oct 18 21:52:18.958: CBAC SMTP: CMD PARAM - match id:6
    *Oct 18 21:52:18.958: CBAC SMTP: End Of Command Line - index:5, len:6
    
    *Oct 18 21:52:18.958: CBAC SMTP: reply_type OTHERS 
    *Oct 18 21:52:18.958: CBAC SMTP: OTHER REPLY - Reply len: 21, match_len:21, reply_re_state:18
    *Oct 18 21:52:18.958: CBAC SMTP: OTHER REPLY match id:13
    *Oct 18 21:52:18.958: CBAC SMTP: OTHER REPLY match id:10
    *Oct 18 21:52:18.958: CBAC SMTP: End Of Reply Line - index:14 ,len:21

故障排除

目前没有针对此配置的故障排除信息。

相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


相关信息


Document ID: 69309