Try removing the access lists next. I can't see how POP get's in and smtp dosen't, especially with CBAC off now.
""MADMAN"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ray Brehm wrote: > > > > MADMAN wrote: > > > > >Yes I have run into problems defining http also. The bottom line is I > > >now only "inspect" TCP, UDP and FTP. These cover all the others without > > >breaking them!!! > > > > > thanks for the heads up > > I just updated IOS to v12.2.6a (I know I'm crazy but I might want > > cisco's support) > > what version of IOS have these problems? > > I know it wasn't in 12.2!! As i said before, I don't think it's doing > anything cept eating up NVRAM when you add, for example, inspect http > when tcp covers http. > > Dave > > > > > > > > Dave > > > > > >"Steven A. Ridder" wrote: > > > > > >>The CBAC dosen't understand ESMTP commands I think. Don't watch smtp on > > >>CBAC. I ran into that problem before. > > >> > > >>""Ray Brehm"" wrote in message > > >>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > >> > > >>>I have a 2621 with IOS IP/FW that I'm unable to connect through to the > > >>>inside SMTP server. I can connect to that same server using POP3 with no > > >>>errors. The inside device is a static NAT. The port appears open when I > > >>>port scan the IP address but I get TCP errors when trying to send mail. > > >>> > > >>>Any ideas? Did I miss something stupid? > > >>>Is the fact that I have multiple "nat inside" interfaces relevant is > > >>>this situation? (I've never known it to make a difference) > > >>> > > >>>Relevant config: > > >>> > > >>>ip inspect name firewall http > > >>>ip inspect name firewall ftp > > >>>ip inspect name firewall netshow > > >>>ip inspect name firewall realaudio > > >>>ip inspect name firewall rtsp > > >>>ip inspect name firewall smtp > > >>>ip inspect name firewall tcp > > >>>ip inspect name firewall udp > > >>> > > >>>interface FastEthernet0/0 > > >>> ip address 10.1.0.1 255.255.255.0 > > >>> ip nat inside > > >>> speed 10 > > >>> full-duplex > > >>> ntp broadcast > > >>> bridge-group 1 > > >>>! > > >>>interface Serial0/0 > > >>> ip address 10.1.12.1 255.255.255.0 > > >>> ip nat inside > > >>> bridge-group 1 > > >>>! > > >>>interface FastEthernet0/1 > > >>> ip address 12.42.189.2 255.255.255.240 > > >>> ip access-group 103 in > > >>> ip nat outside > > >>> ip inspect firewall out > > >>> duplex auto > > >>> speed auto > > >>>! > > >>>interface Serial0/1 > > >>> ip address 10.1.13.1 255.255.255.0 > > >>> ip nat inside > > >>> bridge-group 1 > > >>>! > > >>>router eigrp 100 > > >>> redistribute static metric 384 255 255 1 1500 > > >>> network 10.0.0.0 > > >>> auto-summary > > >>> no eigrp log-neighbor-changes > > >>>! > > >>>ip nat inside source list 18 interface FastEthernet0/1 overload > > >>>ip nat inside source static 10.1.0.4 12.42.189.4 > > >>>ip classless > > >>>ip route 0.0.0.0 0.0.0.0 12.42.189.1 > > >>>! > > >>>logging history debugging > > >>>logging 10.1.0.3 > > >>>access-list 18 permit 10.1.0.0 0.0.255.255 > > >>>access-list 101 permit tcp any any ack > > >>>access-list 101 permit udp any any > > >>>access-list 101 permit icmp any any > > >>>access-list 103 permit tcp any host 12.42.189.4 eq smtp > > >>>access-list 103 permit tcp any host 12.42.189.4 eq pop3 > > >>>bridge 1 protocol ieee > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29847&t=29794 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
