I mean the gateway on your PC if you are on the 12.x.x.x network when trying. it.
""Steven A. Ridder"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > FYI, > > I plugged that exact config you sent into a 2621 with 12.2.6 IOS and it > worked fine. I could telnet into an Exchange 2000 server via 25 and 110 on > the same LAN , and on the external lan usine the natted external IP addres. > It worked in both instances with 25 and 110 with CBAC on and with the access > list on. So I don't think it's the config or the router. I still can't > imagine you getting into 110 and not 25 anyways. I can imaging not sending > mail with cbac on cause of the ESMTP commands on. > > I'd look at the gateway in the server or something. It was .2 on the > router. > > > ""Kent Hundley"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Ray, > > > > A few more ideas: > > > > 1) Can the SMTP server resolve the name of the external machine? Some > apps > > like to do a reverse lookup on the IP addresses that connect to them and > may > > fail if they cannot. If your not sure if it can resolve the name, try > > adding the connecting machines IP address to the /etc/hosts file of your > > mail server. (It's under winnt/system32/drivers on Windows) > > > > 2) Try completely removing all CBAC (if you haven't already) and create a > > permit access-list like this: > > > > access-list 103 permit tcp any eq 25 log > > access-list 103 permit tcp any eq 110 > > access-list 103 permit udp any log > > access-list 103 permit tcp any log > > access-list 103 permit icmp any log > > access-list 103 permit ip any any > > > > And see what your log files look like. (you probably want to do this > > sometime when your router isn't moving a lot of traffic as there could be > a > > lot of logging info) You may also want to put an acl on your fe 0/0 > > interface like this: > > > > access-list 104 permit tcp any log > > access-list 104 permit udp any log > > access-list 104 permit icmp any log > > access-list 104 permit ip any any > > > > This will give you a good idea of what's happening at the packet level. > > > > If it _still_ doesn't work, I would definitely consider replacing the > > router. > > > > HTH, > > Kent > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Friday, December 21, 2001 8:20 AM > > To: [EMAIL PROTECTED] > > Subject: Re: IOS firewall, NAT and smtp [7:29794] > > > > > > Steven A. Ridder wrote: > > > > >Try removing the access lists next. I can't see how POP get's in and > smtp > > >dosen't, especially with CBAC off now. > > > > > I removed all access control from the interface and I still get the same > > problem. > > I'm going to test it on another router then I'm going after cisco with > > this one. > > Thanks for your help > > > > > > > > > > >""MADMAN"" wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > > >>Ray Brehm wrote: > > >> > > >>>MADMAN wrote: > > >>> > > >>>>Yes I have run into problems defining http also. The bottom line is I > > >>>>now only "inspect" TCP, UDP and FTP. These cover all the others > > >>>> > > >without > > > > > >>>>breaking them!!! > > >>>> > > >>>thanks for the heads up > > >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want > > >>>cisco's support) > > >>>what version of IOS have these problems? > > >>> > > >> I know it wasn't in 12.2!! As i said before, I don't think it's doing > > >>anything cept eating up NVRAM when you add, for example, inspect http > > >>when tcp covers http. > > >> > > >> Dave > > >> > > >>>> Dave > > >>>> > > >>>>"Steven A. Ridder" wrote: > > >>>> > > >>>>>The CBAC dosen't understand ESMTP commands I think. Don't watch smtp > > >>>>> > > >on > > > > > >>>>>CBAC. I ran into that problem before. > > >>>>> > > >>>>>""Ray Brehm"" wrote in message > > >>>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > >>>>> > > >>>>>>I have a 2621 with IOS IP/FW that I'm unable to connect through to > > >>>>>> > > >the > > > > > >>>>>>inside SMTP server. I can connect to that same server using POP3 > with > > >>>>>> > > >no > > > > > >>>>>>errors. The inside device is a static NAT. The port appears open > when > > >>>>>> > > >I > > > > > >>>>>>port scan the IP address but I get TCP errors when trying to send > > >>>>>> > > >mail. > > > > > >>>>>>Any ideas? Did I miss something stupid? > > >>>>>>Is the fact that I have multiple "nat inside" interfaces relevant is > > >>>>>>this situation? (I've never known it to make a difference) > > >>>>>> > > >>>>>>Relevant config: > > >>>>>> > > >>>>>>ip inspect name firewall http > > >>>>>>ip inspect name firewall ftp > > >>>>>>ip inspect name firewall netshow > > >>>>>>ip inspect name firewall realaudio > > >>>>>>ip inspect name firewall rtsp > > >>>>>>ip inspect name firewall smtp > > >>>>>>ip inspect name firewall tcp > > >>>>>>ip inspect name firewall udp > > >>>>>> > > >>>>>>interface FastEthernet0/0 > > >>>>>>ip address 10.1.0.1 255.255.255.0 > > >>>>>>ip nat inside > > >>>>>>speed 10 > > >>>>>>full-duplex > > >>>>>>ntp broadcast > > >>>>>>bridge-group 1 > > >>>>>>! > > >>>>>>interface Serial0/0 > > >>>>>>ip address 10.1.12.1 255.255.255.0 > > >>>>>>ip nat inside > > >>>>>>bridge-group 1 > > >>>>>>! > > >>>>>>interface FastEthernet0/1 > > >>>>>>ip address 12.42.189.2 255.255.255.240 > > >>>>>>ip access-group 103 in > > >>>>>>ip nat outside > > >>>>>>ip inspect firewall out > > >>>>>>duplex auto > > >>>>>>speed auto > > >>>>>>! > > >>>>>>interface Serial0/1 > > >>>>>>ip address 10.1.13.1 255.255.255.0 > > >>>>>>ip nat inside > > >>>>>>bridge-group 1 > > >>>>>>! > > >>>>>>router eigrp 100 > > >>>>>>redistribute static metric 384 255 255 1 1500 > > >>>>>>network 10.0.0.0 > > >>>>>>auto-summary > > >>>>>>no eigrp log-neighbor-changes > > >>>>>>! > > >>>>>>ip nat inside source list 18 interface FastEthernet0/1 overload > > >>>>>>ip nat inside source static 10.1.0.4 12.42.189.4 > > >>>>>>ip classless > > >>>>>>ip route 0.0.0.0 0.0.0.0 12.42.189.1 > > >>>>>>! > > >>>>>>logging history debugging > > >>>>>>logging 10.1.0.3 > > >>>>>>access-list 18 permit 10.1.0.0 0.0.255.255 > > >>>>>>access-list 101 permit tcp any any ack > > >>>>>>access-list 101 permit udp any any > > >>>>>>access-list 101 permit icmp any any > > >>>>>>access-list 103 permit tcp any host 12.42.189.4 eq smtp > > >>>>>>access-list 103 permit tcp any host 12.42.189.4 eq pop3 > > >>>>>>bridge 1 protocol ieee Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29882&t=29794 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
