Yes I have run into problems defining http also. The bottom line is I now only "inspect" TCP, UDP and FTP. These cover all the others without breaking them!!!
Dave "Steven A. Ridder" wrote: > > The CBAC dosen't understand ESMTP commands I think. Don't watch smtp on > CBAC. I ran into that problem before. > > ""Ray Brehm"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I have a 2621 with IOS IP/FW that I'm unable to connect through to the > > inside SMTP server. I can connect to that same server using POP3 with no > > errors. The inside device is a static NAT. The port appears open when I > > port scan the IP address but I get TCP errors when trying to send mail. > > > > Any ideas? Did I miss something stupid? > > Is the fact that I have multiple "nat inside" interfaces relevant is > > this situation? (I've never known it to make a difference) > > > > Relevant config: > > > > ip inspect name firewall http > > ip inspect name firewall ftp > > ip inspect name firewall netshow > > ip inspect name firewall realaudio > > ip inspect name firewall rtsp > > ip inspect name firewall smtp > > ip inspect name firewall tcp > > ip inspect name firewall udp > > > > interface FastEthernet0/0 > > ip address 10.1.0.1 255.255.255.0 > > ip nat inside > > speed 10 > > full-duplex > > ntp broadcast > > bridge-group 1 > > ! > > interface Serial0/0 > > ip address 10.1.12.1 255.255.255.0 > > ip nat inside > > bridge-group 1 > > ! > > interface FastEthernet0/1 > > ip address 12.42.189.2 255.255.255.240 > > ip access-group 103 in > > ip nat outside > > ip inspect firewall out > > duplex auto > > speed auto > > ! > > interface Serial0/1 > > ip address 10.1.13.1 255.255.255.0 > > ip nat inside > > bridge-group 1 > > ! > > router eigrp 100 > > redistribute static metric 384 255 255 1 1500 > > network 10.0.0.0 > > auto-summary > > no eigrp log-neighbor-changes > > ! > > ip nat inside source list 18 interface FastEthernet0/1 overload > > ip nat inside source static 10.1.0.4 12.42.189.4 > > ip classless > > ip route 0.0.0.0 0.0.0.0 12.42.189.1 > > ! > > logging history debugging > > logging 10.1.0.3 > > access-list 18 permit 10.1.0.0 0.0.255.255 > > access-list 101 permit tcp any any ack > > access-list 101 permit udp any any > > access-list 101 permit icmp any any > > access-list 103 permit tcp any host 12.42.189.4 eq smtp > > access-list 103 permit tcp any host 12.42.189.4 eq pop3 > > bridge 1 protocol ieee -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29807&t=29794 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]