Ray Brehm wrote: > > MADMAN wrote: > > >Yes I have run into problems defining http also. The bottom line is I > >now only "inspect" TCP, UDP and FTP. These cover all the others without > >breaking them!!! > > > thanks for the heads up > I just updated IOS to v12.2.6a (I know I'm crazy but I might want > cisco's support) > what version of IOS have these problems?
I know it wasn't in 12.2!! As i said before, I don't think it's doing anything cept eating up NVRAM when you add, for example, inspect http when tcp covers http. Dave > > > > > Dave > > > >"Steven A. Ridder" wrote: > > > >>The CBAC dosen't understand ESMTP commands I think. Don't watch smtp on > >>CBAC. I ran into that problem before. > >> > >>""Ray Brehm"" wrote in message > >>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >> > >>>I have a 2621 with IOS IP/FW that I'm unable to connect through to the > >>>inside SMTP server. I can connect to that same server using POP3 with no > >>>errors. The inside device is a static NAT. The port appears open when I > >>>port scan the IP address but I get TCP errors when trying to send mail. > >>> > >>>Any ideas? Did I miss something stupid? > >>>Is the fact that I have multiple "nat inside" interfaces relevant is > >>>this situation? (I've never known it to make a difference) > >>> > >>>Relevant config: > >>> > >>>ip inspect name firewall http > >>>ip inspect name firewall ftp > >>>ip inspect name firewall netshow > >>>ip inspect name firewall realaudio > >>>ip inspect name firewall rtsp > >>>ip inspect name firewall smtp > >>>ip inspect name firewall tcp > >>>ip inspect name firewall udp > >>> > >>>interface FastEthernet0/0 > >>> ip address 10.1.0.1 255.255.255.0 > >>> ip nat inside > >>> speed 10 > >>> full-duplex > >>> ntp broadcast > >>> bridge-group 1 > >>>! > >>>interface Serial0/0 > >>> ip address 10.1.12.1 255.255.255.0 > >>> ip nat inside > >>> bridge-group 1 > >>>! > >>>interface FastEthernet0/1 > >>> ip address 12.42.189.2 255.255.255.240 > >>> ip access-group 103 in > >>> ip nat outside > >>> ip inspect firewall out > >>> duplex auto > >>> speed auto > >>>! > >>>interface Serial0/1 > >>> ip address 10.1.13.1 255.255.255.0 > >>> ip nat inside > >>> bridge-group 1 > >>>! > >>>router eigrp 100 > >>> redistribute static metric 384 255 255 1 1500 > >>> network 10.0.0.0 > >>> auto-summary > >>> no eigrp log-neighbor-changes > >>>! > >>>ip nat inside source list 18 interface FastEthernet0/1 overload > >>>ip nat inside source static 10.1.0.4 12.42.189.4 > >>>ip classless > >>>ip route 0.0.0.0 0.0.0.0 12.42.189.1 > >>>! > >>>logging history debugging > >>>logging 10.1.0.3 > >>>access-list 18 permit 10.1.0.0 0.0.255.255 > >>>access-list 101 permit tcp any any ack > >>>access-list 101 permit udp any any > >>>access-list 101 permit icmp any any > >>>access-list 103 permit tcp any host 12.42.189.4 eq smtp > >>>access-list 103 permit tcp any host 12.42.189.4 eq pop3 > >>>bridge 1 protocol ieee -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29830&t=29794 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
