Steven A. Ridder wrote: >For furture reference, once you enable CBAC on an interface, it MONITORS >traffic in both directions. > did not know it worked that way, I'll have to go back to the books again
> >As for the SMTP thing, you remove ip inspect from the interface, and you can >telnet into the server at port 25? Do I have that right? You SURE you >removed it? Cause if you can get in via 25 via telnet, you're in. Only >CBAC would block it if you tried to login into the server, or some other >ESMTP command, and that's only if it was on. You sure the server isn't bad? > I removed the ip inspect from the interface and restarted the router with the new config. Even at that point, I could not telnet to port 25 on the server from outside the router. I can telnet to port 25 on the server when I'm on the local network so the server doesn't have a problem (other than the fact it's exchange, but that's another story) > > >""Ray Brehm"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>Steven A. Ridder wrote: >> >>>The CBAC dosen't understand ESMTP commands I think. Don't watch smtp on >>>CBAC. I ran into that problem before. >>> >>I'm not actually doing CBAC on the inbound traffic, I'm just letting it >>through with the access list. At any rate, I removed the IP inspect >>command from the interface and I still have the same problem. TCP to the >>POP port works fine, TCP to the SMTP port doesn't respond. I can telnet >>to port 25 locally, get the server response and type a command, I get no >>response telnetting to port 25 through the firewall. >> >>> >>>""Ray Brehm"" wrote in message >>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >>> >>>>I have a 2621 with IOS IP/FW that I'm unable to connect through to the >>>>inside SMTP server. I can connect to that same server using POP3 with no >>>>errors. The inside device is a static NAT. The port appears open when I >>>>port scan the IP address but I get TCP errors when trying to send mail. >>>> >>>>Any ideas? Did I miss something stupid? >>>>Is the fact that I have multiple "nat inside" interfaces relevant is >>>>this situation? (I've never known it to make a difference) >>>> >>>>Relevant config: >>>> >>>>ip inspect name firewall http >>>>ip inspect name firewall ftp >>>>ip inspect name firewall netshow >>>>ip inspect name firewall realaudio >>>>ip inspect name firewall rtsp >>>>ip inspect name firewall smtp >>>>ip inspect name firewall tcp >>>>ip inspect name firewall udp >>>> >>>>interface FastEthernet0/0 >>>>ip address 10.1.0.1 255.255.255.0 >>>>ip nat inside >>>>speed 10 >>>>full-duplex >>>>ntp broadcast >>>>bridge-group 1 >>>>! >>>>interface Serial0/0 >>>>ip address 10.1.12.1 255.255.255.0 >>>>ip nat inside >>>>bridge-group 1 >>>>! >>>>interface FastEthernet0/1 >>>>ip address 12.42.189.2 255.255.255.240 >>>>ip access-group 103 in >>>>ip nat outside >>>>ip inspect firewall out >>>>duplex auto >>>>speed auto >>>>! >>>>interface Serial0/1 >>>>ip address 10.1.13.1 255.255.255.0 >>>>ip nat inside >>>>bridge-group 1 >>>>! >>>>router eigrp 100 >>>>redistribute static metric 384 255 255 1 1500 >>>>network 10.0.0.0 >>>>auto-summary >>>>no eigrp log-neighbor-changes >>>>! >>>>ip nat inside source list 18 interface FastEthernet0/1 overload >>>>ip nat inside source static 10.1.0.4 12.42.189.4 >>>>ip classless >>>>ip route 0.0.0.0 0.0.0.0 12.42.189.1 >>>>! >>>>logging history debugging >>>>logging 10.1.0.3 >>>>access-list 18 permit 10.1.0.0 0.0.255.255 >>>>access-list 101 permit tcp any any ack >>>>access-list 101 permit udp any any >>>>access-list 101 permit icmp any any >>>>access-list 103 permit tcp any host 12.42.189.4 eq smtp >>>>access-list 103 permit tcp any host 12.42.189.4 eq pop3 >>>>bridge 1 protocol ieee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29828&t=29794 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
