For furture reference, once you enable CBAC on an interface, it MONITORS traffic in both directions.
As for the SMTP thing, you remove ip inspect from the interface, and you can telnet into the server at port 25? Do I have that right? You SURE you removed it? Cause if you can get in via 25 via telnet, you're in. Only CBAC would block it if you tried to login into the server, or some other ESMTP command, and that's only if it was on. You sure the server isn't bad? ""Ray Brehm"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Steven A. Ridder wrote: > > >The CBAC dosen't understand ESMTP commands I think. Don't watch smtp on > >CBAC. I ran into that problem before. > > > I'm not actually doing CBAC on the inbound traffic, I'm just letting it > through with the access list. At any rate, I removed the IP inspect > command from the interface and I still have the same problem. TCP to the > POP port works fine, TCP to the SMTP port doesn't respond. I can telnet > to port 25 locally, get the server response and type a command, I get no > response telnetting to port 25 through the firewall. > > > > > > >""Ray Brehm"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>I have a 2621 with IOS IP/FW that I'm unable to connect through to the > >>inside SMTP server. I can connect to that same server using POP3 with no > >>errors. The inside device is a static NAT. The port appears open when I > >>port scan the IP address but I get TCP errors when trying to send mail. > >> > >>Any ideas? Did I miss something stupid? > >>Is the fact that I have multiple "nat inside" interfaces relevant is > >>this situation? (I've never known it to make a difference) > >> > >>Relevant config: > >> > >>ip inspect name firewall http > >>ip inspect name firewall ftp > >>ip inspect name firewall netshow > >>ip inspect name firewall realaudio > >>ip inspect name firewall rtsp > >>ip inspect name firewall smtp > >>ip inspect name firewall tcp > >>ip inspect name firewall udp > >> > >>interface FastEthernet0/0 > >> ip address 10.1.0.1 255.255.255.0 > >> ip nat inside > >> speed 10 > >> full-duplex > >> ntp broadcast > >> bridge-group 1 > >>! > >>interface Serial0/0 > >> ip address 10.1.12.1 255.255.255.0 > >> ip nat inside > >> bridge-group 1 > >>! > >>interface FastEthernet0/1 > >> ip address 12.42.189.2 255.255.255.240 > >> ip access-group 103 in > >> ip nat outside > >> ip inspect firewall out > >> duplex auto > >> speed auto > >>! > >>interface Serial0/1 > >> ip address 10.1.13.1 255.255.255.0 > >> ip nat inside > >> bridge-group 1 > >>! > >>router eigrp 100 > >> redistribute static metric 384 255 255 1 1500 > >> network 10.0.0.0 > >> auto-summary > >> no eigrp log-neighbor-changes > >>! > >>ip nat inside source list 18 interface FastEthernet0/1 overload > >>ip nat inside source static 10.1.0.4 12.42.189.4 > >>ip classless > >>ip route 0.0.0.0 0.0.0.0 12.42.189.1 > >>! > >>logging history debugging > >>logging 10.1.0.3 > >>access-list 18 permit 10.1.0.0 0.0.255.255 > >>access-list 101 permit tcp any any ack > >>access-list 101 permit udp any any > >>access-list 101 permit icmp any any > >>access-list 103 permit tcp any host 12.42.189.4 eq smtp > >>access-list 103 permit tcp any host 12.42.189.4 eq pop3 > >>bridge 1 protocol ieee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29820&t=29794 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
