SMTP和ESMTP与Cisco IOS防火墙配置示例的连接检查配置示例

简介

本文档提供使用 Cisco IOS 中的 Cisco IOS® 防火墙检查入站简单邮件传输协议 (SMTP) 或简单扩展邮件传输协议 (ESMTP) 连接的示例配置。这种检查类似于在 Cisco PIX 500 系列安全设备中的邮箱保护功能。

先决条件

要求

本文档没有任何特定的要求。

使用的组件

本文档中的信息基于以下软件和硬件版本：

• Cisco IOS 软件版本 12.3(4)T 或更高版本

• Cisco 3640 路由器

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您使用的是真实网络，请确保您已经了解所有命令的潜在影响。

规则

有关文档约定的更多信息，请参考 Cisco 技术提示约定。

背景信息

SMTP 检查导致 SMTP 命令受到非法命令检查。将具有非法命令的数据包修改为“xxxx”模式并转发到服务器。此过程导致服务器发送否定回复，这会强制客户端发出有效命令。非法 SMTP 命令是除以下命令以外的其他命令：

ESMTP 检查与 SMTP 检查的运行方式相同。将具有非法命令的数据包修改为“xxxx”模式并转发到服务器，这会触发否定回复。非法 ESMTP 命令是除以下命令以外的其他命令：

ESMTP 检查也通过更深的命令检查检查这些扩展：

• 消息大小声明 (SIZE)

• 处理声明的远程队列 (ETRN)

• 二进制 MIME (BINARYMIME)

• 命令管道传输

• 身份验证

• 传送状态通知 (DSN)

• 增强状态代码 (ENHANCEDSTATUSCODE)

• 8 位 MIMEtransport (8BITMIME)

注意：  SMTP 和 ESMTP 检查无法同时配置。尝试配置两者会导致出现错误消息。

注意：在Cisco IOS软件版本12.3(4)T及更高版本中，Cisco IOS防火墙不再创建动态访问列表条目以允许流量。Cisco IOS 防火墙现在维护会话状态表以控制检查连接的安全。

配置

本部分提供有关如何配置本文档所述功能的信息。

注意：使用命令查找工具(仅限注册客户)可获取有关本节中使用的命令的详细信息。

网络图

本文档使用以下网络设置：

配置

本文档使用以下配置：

3640-123#show running-config
Building configuration...

Current configuration : 1432 bytes
!
version 12.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 3640-123
!
boot-start-marker
boot-end-marker
!
enable password 7 02050D4808095E731F
!
no aaa new-model
!
resource policy
!
voice-card 3
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!

!--- This is the Cisco IOS Firewall configuration.


!--- IN-OUT is the inspection rule for traffic that flows !--- from the inside interface of the router to the outside interface.

ip inspect name IN-OUT tcp
ip inspect name IN-OUT udp
ip inspect name IN-OUT ftp
ip inspect name IN-OUT http
ip inspect name IN-OUT icmp


!--- OUT-IN is the inspection rule for traffic that flows !--- from the outside interface of the router to the inside interface. !--- This rule is where SMTP/ESMTP inspection is specified.

ip inspect name OUT-IN smtp
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
controller T1 3/0
 framing sf
 linecode ami
!
!
!
!
!

!--- The outside interface.

interface Ethernet2/0
 ip address 172.22.1.16 255.255.255.0


!--- Apply the access list to permit SMTP/ESMTP connections !--- to the mail server. This also allows Cisco IOS Firewall !--- to inspect SMTP or ESMTP commands.

 ip access-group 101 in
 ip nat outside


!--- Apply the inspection rule OUT-IN inbound on this interface. This is !--- the rule that defines SMTP/ESMTP inspection.

 ip inspect OUT-IN in
 ip virtual-reassembly
 half-duplex
!
interface Serial2/0
 no ip address
 shutdown
!

!--- The inside interface.

interface Ethernet2/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside


!--- Apply the inspection rule IN-OUT inbound on this interface.

 ip inspect IN-OUT in
 ip virtual-reassembly
 half-duplex
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 172.22.1.1
!
!

!--- The static translation for the mail server.

ip nat inside source static 10.10.10.2 172.22.1.110
ip nat inside source static 10.10.10.5 172.22.1.111
!

!--- The access list to permit SMTP and ESMTP to the mail server. !--- Cisco IOS Firewall inspects permitted traffic.

access-list 101 permit tcp any host 172.22.1.110 eq smtp
!
!
!
control-plane
!
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
!
voice-port 1/1/1
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 121A0C0411045D5679
 login
!
!
end

验证

使用本部分可确认配置能否正常运行。

命令输出解释程序（仅限注册用户）(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

• show ip inspect all — 验证 Cisco IOS 防火墙检查规则配置及其在接口的应用。

  3640-123#show ip inspect all
  Session audit trail is disabled
  Session alert is enabled
  one-minute (sampling period) thresholds are [400:500] connections
  max-incomplete sessions thresholds are [400:500]
  max-incomplete tcp connections per host is 50. Block-time 0 minute.
  tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
  tcp idle-time is 3600 sec -- udp idle-time is 30 sec
  dns-timeout is 5 sec
  Inspection Rule Configuration
   Inspection name IN-OUT
      tcp alert is on audit-trail is off timeout 3600
      udp alert is on audit-trail is off timeout 30
      ftp alert is on audit-trail is off timeout 3600
      http alert is on audit-trail is off timeout 3600
      icmp alert is on audit-trail is off timeout 10
   Inspection name OUT-IN
      smtp max-data 20000000 alert is on audit-trail is off timeout 3600
  
  Interface Configuration
   Interface Ethernet2/1
    Inbound inspection rule is IN-OUT
      tcp alert is on audit-trail is off timeout 3600
      udp alert is on audit-trail is off timeout 30
      ftp alert is on audit-trail is off timeout 3600
      http alert is on audit-trail is off timeout 3600
      icmp alert is on audit-trail is off timeout 10
    Outgoing inspection rule is not set
    Inbound access list is not set
    Outgoing access list is not set
   Interface Ethernet2/0
    Inbound inspection rule is OUT-IN
      smtp max-data 20000000 alert is on audit-trail is off timeout 3600
    Outgoing inspection rule is not set
    Inbound access list is 101
    Outgoing access list is not set

• debug ip inspect smtp — 显示有关 Cisco IOS 防火墙 SMTP 检查事件的消息。

  注意：在使用debug命令之前，请参阅有关Debug命令的重要信息。

  ausnml-3600-02#debug ip inspect smtp
  INSPECT SMTP Inspection debugging is on
  ausnml-3600-02#
  *Oct 18 21:51:35.886: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:51:35.886: CBAC SMTP: OTHER REPLY - Reply len: 64, match_len:64, reply_re_state:18
  *Oct 18 21:51:35.886: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:51:35.886: CBAC SMTP: OTHER REPLY match id:10
  *Oct 18 21:51:35.886: CBAC SMTP: End Of Reply Line - index:0 ,len:64
  
  
  !--- The client issues a command.
  
  *Oct 18 21:51:40.810: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:9
  *Oct 18 21:51:40.994: CBAC SMTP: VERB - Cmd len:2, match_len:1, cmd_re_state:24
  *Oct 18 21:51:41.190: CBAC SMTP: VERB - Cmd len:3, match_len:1, cmd_re_state:40
  *Oct 18 21:51:41.390: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:56
  *Oct 18 21:51:41.390: CBAC SMTP: VERB - match id:5
  *Oct 18 21:51:42.046: CBAC SMTP: CMD PARAM - Cmd len:5, match_len:1, cmd_re_state:7
  *Oct 18 21:51:43.462: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:1, cmd_re_state:2
  *Oct 18 21:51:43.594: CBAC SMTP: CMD PARAM - Cmd len:7, match_len:1, cmd_re_state:2
  *Oct 18 21:51:43.794: CBAC SMTP: CMD PARAM - Cmd len:9, match_len:2, cmd_re_state:2
  *Oct 18 21:51:43.994: CBAC SMTP: CMD PARAM - Cmd len:10, match_len:1, cmd_re_state:2
  *Oct 18 21:51:44.194: CBAC SMTP: CMD PARAM - Cmd len:12, match_len:2, cmd_re_state:3
  *Oct 18 21:51:44.194: CBAC SMTP: CMD PARAM - match id:6
  *Oct 18 21:51:44.194: CBAC SMTP: End Of Command Line - index:1, len:12
  
  
  !--- The server replies.
  
  *Oct 18 21:51:44.198: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:51:44.198: CBAC SMTP: OTHER REPLY - Reply len: 11, match_len:11, reply_re_state:18
  *Oct 18 21:51:44.198: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:51:44.198: CBAC SMTP: OTHER REPLY match id:10
  *Oct 18 21:51:44.198: CBAC SMTP: End Of Reply Line - index:1 ,len:11
  
  
  !--- The client issues a command.
  
  *Oct 18 21:51:49.482: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:3
  *Oct 18 21:51:50.222: CBAC SMTP: VERB - Cmd len:2, match_len:1, cmd_re_state:15
  *Oct 18 21:51:50.618: CBAC SMTP: VERB - Cmd len:3, match_len:1, cmd_re_state:31
  *Oct 18 21:51:50.954: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:46
  *Oct 18 21:51:50.954: CBAC SMTP: VERB - match id:15
  *Oct 18 21:51:51.642: CBAC SMTP: CMD PARAM - Cmd len:5, match_len:1, cmd_re_state:7
  *Oct 18 21:51:51.914: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:1, cmd_re_state:2
  *Oct 18 21:51:52.106: CBAC SMTP: CMD PARAM - Cmd len:7, match_len:1, cmd_re_state:2
  *Oct 18 21:51:54.754: CBAC SMTP: CMD PARAM - Cmd len:8, match_len:1, cmd_re_state:4
  *Oct 18 21:51:55.098: CBAC SMTP: CMD PARAM - Cmd len:9, match_len:1, cmd_re_state:2
  *Oct 18 21:51:55.322: CBAC SMTP: CMD PARAM - Cmd len:11, match_len:2, cmd_re_state:3
  *Oct 18 21:51:55.322: CBAC SMTP: CMD PARAM - match id:6
  *Oct 18 21:51:55.322: CBAC SMTP: End Of Command Line - index:2, len:11
  
  
  !--- The server replies.
  
  *Oct 18 21:51:55.326: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:51:55.326: CBAC SMTP: OTHER REPLY - Reply len: 19, match_len:19, reply_re_state:3
  *Oct 18 21:51:55.326: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:51:55.326: CBAC SMTP: End Of Reply Line - index:2 ,len:19
  
  *Oct 18 21:51:57.070: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:3
  *Oct 18 21:51:57.402: CBAC SMTP: VERB - Cmd len:2, match_len:1, cmd_re_state:15
  *Oct 18 21:51:58.162: CBAC SMTP: VERB - Cmd len:3, match_len:1, cmd_re_state:31
  *Oct 18 21:51:58.462: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:46
  *Oct 18 21:51:58.466: CBAC SMTP: VERB - match id:15
  *Oct 18 21:51:58.746: CBAC SMTP: CMD PARAM - Cmd len:5, match_len:1, cmd_re_state:7
  *Oct 18 21:51:59.006: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:1, cmd_re_state:2
  *Oct 18 21:51:59.234: CBAC SMTP: CMD PARAM - Cmd len:7, match_len:1, cmd_re_state:2
  *Oct 18 21:51:59.418: CBAC SMTP: CMD PARAM - Cmd len:9, match_len:2, cmd_re_state:2
  *Oct 18 21:51:59.618: CBAC SMTP: CMD PARAM - Cmd len:10, match_len:1, cmd_re_state:2
  *Oct 18 21:51:59.818: CBAC SMTP: CMD PARAM - Cmd len:12, match_len:2, cmd_re_state:3
  *Oct 18 21:51:59.818: CBAC SMTP: CMD PARAM - match id:6
  *Oct 18 21:51:59.818: CBAC SMTP: End Of Command Line - index:3, len:12
  
  *Oct 18 21:51:59.818: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:51:59.818: CBAC SMTP: OTHER REPLY - Reply len: 19, match_len:19, reply_re_state:3
  *Oct 18 21:51:59.822: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:51:59.822: CBAC SMTP: End Of Reply Line - index:3 ,len:19
  
  *Oct 18 21:52:04.974: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:9
  *Oct 18 21:52:05.170: CBAC SMTP: VERB - Cmd len:2, match_len:1, cmd_re_state:24
  *Oct 18 21:52:05.326: CBAC SMTP: VERB - Cmd len:3, match_len:1, cmd_re_state:40
  *Oct 18 21:52:05.526: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:55
  *Oct 18 21:52:05.526: CBAC SMTP: VERB - match id:6
  *Oct 18 21:52:05.742: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:2, cmd_re_state:3
  *Oct 18 21:52:05.742: CBAC SMTP: CMD PARAM - match id:6
  *Oct 18 21:52:05.742: CBAC SMTP: End Of Command Line - index:4, len:6
  
  *Oct 18 21:52:05.746: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY - Reply len: 54, match_len:54, reply_re_state:3
  *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.746: CBAC SMTP: End Of Reply Line - index:4 ,len:54
  
  *Oct 18 21:52:05.746: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY - Reply len: 15, match_len:15, reply_re_state:3
  *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.746: CBAC SMTP: End Of Reply Line - index:5 ,len:15
  
  *Oct 18 21:52:05.746: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY - Reply len: 15, match_len:15, reply_re_state:3
  *Oct 18 21:52:05.746: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.746: CBAC SMTP: End Of Reply Line - index:6 ,len:15
  
  *Oct 18 21:52:05.746: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY - Reply len: 6, match_len:6, reply_re_state:3
  *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.750: CBAC SMTP: End Of Reply Line - index:7 ,len:6
  
  *Oct 18 21:52:05.750: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY - Reply len: 19, match_len:19, reply_re_state:3
  *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.750: CBAC SMTP: End Of Reply Line - index:8 ,len:19
  
  *Oct 18 21:52:05.750: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY - Reply len: 17, match_len:17, reply_re_state:3
  *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.750: CBAC SMTP: End Of Reply Line - index:9 ,len:17
  
  *Oct 18 21:52:05.750: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY - Reply len: 6, match_len:6, reply_re_state:3
  *Oct 18 21:52:05.750: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.754: CBAC SMTP: End Of Reply Line - index:10 ,len:6
  
  *Oct 18 21:52:05.754: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY - Reply len: 6, match_len:6, reply_re_state:3
  *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.754: CBAC SMTP: End Of Reply Line - index:11 ,len:6
  
  *Oct 18 21:52:05.754: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY - Reply len: 6, match_len:6, reply_re_state:3
  *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.754: CBAC SMTP: End Of Reply Line - index:12 ,len:6
  
  *Oct 18 21:52:05.754: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY - Reply len: 3, match_len:3, reply_re_state:3
  *Oct 18 21:52:05.754: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:05.754: CBAC SMTP: End Of Reply Line - index:13 ,len:3
  
  *Oct 18 21:52:15.646: CBAC SMTP: VERB - Cmd len:1, match_len:1, cmd_re_state:6
  *Oct 18 21:52:15.838: CBAC SMTP: VERB - Cmd len:3, match_len:2, cmd_re_state:37
  *Oct 18 21:52:16.206: CBAC SMTP: VERB - Cmd len:4, match_len:1, cmd_re_state:52
  *Oct 18 21:52:16.206: CBAC SMTP: VERB - match id:9
  *Oct 18 21:52:18.954: CBAC SMTP: CMD PARAM - Cmd len:6, match_len:2, cmd_re_state:3
  *Oct 18 21:52:18.958: CBAC SMTP: CMD PARAM - match id:6
  *Oct 18 21:52:18.958: CBAC SMTP: End Of Command Line - index:5, len:6
  
  *Oct 18 21:52:18.958: CBAC SMTP: reply_type OTHERS 
  *Oct 18 21:52:18.958: CBAC SMTP: OTHER REPLY - Reply len: 21, match_len:21, reply_re_state:18
  *Oct 18 21:52:18.958: CBAC SMTP: OTHER REPLY match id:13
  *Oct 18 21:52:18.958: CBAC SMTP: OTHER REPLY match id:10
  *Oct 18 21:52:18.958: CBAC SMTP: End Of Reply Line - index:14 ,len:21

故障排除

目前没有针对此配置的故障排除信息。

相关信息

• Cisco IOS 防火墙特性集的常见问题
• IOS防火墙支持页面
• 技术支持和文档 - Cisco Systems