Ray, A few more ideas:
1) Can the SMTP server resolve the name of the external machine? Some apps like to do a reverse lookup on the IP addresses that connect to them and may fail if they cannot. If your not sure if it can resolve the name, try adding the connecting machines IP address to the /etc/hosts file of your mail server. (It's under winnt/system32/drivers on Windows) 2) Try completely removing all CBAC (if you haven't already) and create a permit access-list like this: access-list 103 permit tcp any eq 25 log access-list 103 permit tcp any eq 110 access-list 103 permit udp any log access-list 103 permit tcp any log access-list 103 permit icmp any log access-list 103 permit ip any any And see what your log files look like. (you probably want to do this sometime when your router isn't moving a lot of traffic as there could be a lot of logging info) You may also want to put an acl on your fe 0/0 interface like this: access-list 104 permit tcp any log access-list 104 permit udp any log access-list 104 permit icmp any log access-list 104 permit ip any any This will give you a good idea of what's happening at the packet level. If it _still_ doesn't work, I would definitely consider replacing the router. HTH, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 8:20 AM To: [EMAIL PROTECTED] Subject: Re: IOS firewall, NAT and smtp [7:29794] Steven A. Ridder wrote: >Try removing the access lists next. I can't see how POP get's in and smtp >dosen't, especially with CBAC off now. > I removed all access control from the interface and I still get the same problem. I'm going to test it on another router then I'm going after cisco with this one. Thanks for your help > > >""MADMAN"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>Ray Brehm wrote: >> >>>MADMAN wrote: >>> >>>>Yes I have run into problems defining http also. The bottom line is I >>>>now only "inspect" TCP, UDP and FTP. These cover all the others >>>> >without > >>>>breaking them!!! >>>> >>>thanks for the heads up >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want >>>cisco's support) >>>what version of IOS have these problems? >>> >> I know it wasn't in 12.2!! As i said before, I don't think it's doing >>anything cept eating up NVRAM when you add, for example, inspect http >>when tcp covers http. >> >> Dave >> >>>> Dave >>>> >>>>"Steven A. Ridder" wrote: >>>> >>>>>The CBAC dosen't understand ESMTP commands I think. Don't watch smtp >>>>> >on > >>>>>CBAC. I ran into that problem before. >>>>> >>>>>""Ray Brehm"" wrote in message >>>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... >>>>> >>>>>>I have a 2621 with IOS IP/FW that I'm unable to connect through to >>>>>> >the > >>>>>>inside SMTP server. I can connect to that same server using POP3 with >>>>>> >no > >>>>>>errors. The inside device is a static NAT. The port appears open when >>>>>> >I > >>>>>>port scan the IP address but I get TCP errors when trying to send >>>>>> >mail. > >>>>>>Any ideas? Did I miss something stupid? >>>>>>Is the fact that I have multiple "nat inside" interfaces relevant is >>>>>>this situation? (I've never known it to make a difference) >>>>>> >>>>>>Relevant config: >>>>>> >>>>>>ip inspect name firewall http >>>>>>ip inspect name firewall ftp >>>>>>ip inspect name firewall netshow >>>>>>ip inspect name firewall realaudio >>>>>>ip inspect name firewall rtsp >>>>>>ip inspect name firewall smtp >>>>>>ip inspect name firewall tcp >>>>>>ip inspect name firewall udp >>>>>> >>>>>>interface FastEthernet0/0 >>>>>>ip address 10.1.0.1 255.255.255.0 >>>>>>ip nat inside >>>>>>speed 10 >>>>>>full-duplex >>>>>>ntp broadcast >>>>>>bridge-group 1 >>>>>>! >>>>>>interface Serial0/0 >>>>>>ip address 10.1.12.1 255.255.255.0 >>>>>>ip nat inside >>>>>>bridge-group 1 >>>>>>! >>>>>>interface FastEthernet0/1 >>>>>>ip address 12.42.189.2 255.255.255.240 >>>>>>ip access-group 103 in >>>>>>ip nat outside >>>>>>ip inspect firewall out >>>>>>duplex auto >>>>>>speed auto >>>>>>! >>>>>>interface Serial0/1 >>>>>>ip address 10.1.13.1 255.255.255.0 >>>>>>ip nat inside >>>>>>bridge-group 1 >>>>>>! >>>>>>router eigrp 100 >>>>>>redistribute static metric 384 255 255 1 1500 >>>>>>network 10.0.0.0 >>>>>>auto-summary >>>>>>no eigrp log-neighbor-changes >>>>>>! >>>>>>ip nat inside source list 18 interface FastEthernet0/1 overload >>>>>>ip nat inside source static 10.1.0.4 12.42.189.4 >>>>>>ip classless >>>>>>ip route 0.0.0.0 0.0.0.0 12.42.189.1 >>>>>>! >>>>>>logging history debugging >>>>>>logging 10.1.0.3 >>>>>>access-list 18 permit 10.1.0.0 0.0.255.255 >>>>>>access-list 101 permit tcp any any ack >>>>>>access-list 101 permit udp any any >>>>>>access-list 101 permit icmp any any >>>>>>access-list 103 permit tcp any host 12.42.189.4 eq smtp >>>>>>access-list 103 permit tcp any host 12.42.189.4 eq pop3 >>>>>>bridge 1 protocol ieee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29879&t=29794 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
