Exchange and Zone-Based firewalls

I ran into some issues with Exchange running through Zone-based firewalls, where the servers would not pass mail between them. This appears to be related to SMTP inspection rejecting the ESMTP commands Exchange uses. The problem can be resolved by creating a class for SMTP between your mailservers, and configuring it with a pass action, instead of inspect. Just remember that you need to create rules in both directions, and the class must be before any classes that would inspect the traffic.

A Simple config would look something like this, with the mail servers at 172.16.1.10 and 172.17.1.10.

ip access-list extended ACL-FIREWALL-EXCHANGE
 permit tcp 172.0.1.10 0.255.0.0 172.0.1.10 0.255.0.0 eq 25
 permit tcp 172.0.1.10 0.255.0.0 eq 25 172.0.1.10 0.255.0.0
 ! The access-list matches traffic to or from either mail server 

class-map CLASS-FIREWALL-EXCHANGE
 match access-group name ACL-FIREWALL-EXCHANGE

class-map CLASS-FIREWALL-ALLOWED-PROTOCOLS
 match protocol HTTP
 match protocol HTTPS
 match protocol FTP 

policy-map type inspect POL-MAP-LAN-TO-WAN
 class  CLASS-FIREWALL-EXCHANGE
  pass
 class  CLASS-FIREWALL-ALLOWED-PROTOCOLS
  inspect 
 class class-default
  drop 

policy-map type inspect POL-MAP-WAN-TO-LAN
 class  CLASS-FIREWALL-EXCHANGE
  pass
 class  CLASS-FIREWALL-ALLOWED-PROTOCOLS
  inspect 
 class class-default
  drop 

zone security WAN
zone security LAN
zone-pair security WAN-TO-LAN source WAN destination LAN
 service-policy type inspect POL-MAP-FIREWALL-OUTBOUND
zone-pair security LAN_TO_WAN source LAN destination WAN
 service-policy type inspect POL-MAP-LAN-TO-WAN

interface e0/0
 zone-member security LAN

interface s0/0
 zone-member security WAN

One thought on “Exchange and Zone-Based firewalls

  1. Your solution is a good way to address problematic inspection between hosts where the address is known, and the traffic is trusted. However, applying the “pass” action provides no stateful inspection, and depending on the ios version, may offer no logging capability for the traffic. Regarding the difference between SMTP and ESMTP traffic, you need to define “match protocol smtp extended” for the firewall to recognize and allow the RFC 1869 extension commands.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.