You say you get "TCP errors when you try to send mail." What kind of TCP errors? Where are they reported? Are you just relying on Cisco diagnostics or have you watched what is really happening with a sniffer?
Using a sniffer might reveal that something more than SMTP is involved. Since none of the obvious answers helped, I'm going out on a limb here. I'm wondering if the server is also running authentication and sends a SYN back to the client to port 113. I could easily imagine it breaking in a firewall, NAT situations. Check this out that I found by searching on Port 113 SMTP in Google. http://support.intel.com/support/express/routers/30472.htm Please tell us more about the research you have done into this problem, sniffer trace, what TCP error means, etc. It's intriguing! ;-) Thanks. Priscilla At 11:19 AM 12/21/01, Ray Brehm wrote: >Steven A. Ridder wrote: > > >Try removing the access lists next. I can't see how POP get's in and smtp > >dosen't, especially with CBAC off now. > > >I removed all access control from the interface and I still get the same >problem. >I'm going to test it on another router then I'm going after cisco with >this one. >Thanks for your help > > > > > > >""MADMAN"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > >>Ray Brehm wrote: > >> > >>>MADMAN wrote: > >>> > >>>>Yes I have run into problems defining http also. The bottom line is I > >>>>now only "inspect" TCP, UDP and FTP. These cover all the others > >>>> > >without > > > >>>>breaking them!!! > >>>> > >>>thanks for the heads up > >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want > >>>cisco's support) > >>>what version of IOS have these problems? > >>> > >> I know it wasn't in 12.2!! As i said before, I don't think it's doing > >>anything cept eating up NVRAM when you add, for example, inspect http > >>when tcp covers http. > >> > >> Dave > >> > >>>> Dave > >>>> > >>>>"Steven A. Ridder" wrote: > >>>> > >>>>>The CBAC dosen't understand ESMTP commands I think. Don't watch smtp > >>>>> > >on > > > >>>>>CBAC. I ran into that problem before. > >>>>> > >>>>>""Ray Brehm"" wrote in message > >>>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>>>> > >>>>>>I have a 2621 with IOS IP/FW that I'm unable to connect through to > >>>>>> > >the > > > >>>>>>inside SMTP server. I can connect to that same server using POP3 with > >>>>>> > >no > > > >>>>>>errors. The inside device is a static NAT. The port appears open when > >>>>>> > >I > > > >>>>>>port scan the IP address but I get TCP errors when trying to send > >>>>>> > >mail. > > > >>>>>>Any ideas? Did I miss something stupid? > >>>>>>Is the fact that I have multiple "nat inside" interfaces relevant is > >>>>>>this situation? (I've never known it to make a difference) > >>>>>> > >>>>>>Relevant config: > >>>>>> > >>>>>>ip inspect name firewall http > >>>>>>ip inspect name firewall ftp > >>>>>>ip inspect name firewall netshow > >>>>>>ip inspect name firewall realaudio > >>>>>>ip inspect name firewall rtsp > >>>>>>ip inspect name firewall smtp > >>>>>>ip inspect name firewall tcp > >>>>>>ip inspect name firewall udp > >>>>>> > >>>>>>interface FastEthernet0/0 > >>>>>>ip address 10.1.0.1 255.255.255.0 > >>>>>>ip nat inside > >>>>>>speed 10 > >>>>>>full-duplex > >>>>>>ntp broadcast > >>>>>>bridge-group 1 > >>>>>>! > >>>>>>interface Serial0/0 > >>>>>>ip address 10.1.12.1 255.255.255.0 > >>>>>>ip nat inside > >>>>>>bridge-group 1 > >>>>>>! > >>>>>>interface FastEthernet0/1 > >>>>>>ip address 12.42.189.2 255.255.255.240 > >>>>>>ip access-group 103 in > >>>>>>ip nat outside > >>>>>>ip inspect firewall out > >>>>>>duplex auto > >>>>>>speed auto > >>>>>>! > >>>>>>interface Serial0/1 > >>>>>>ip address 10.1.13.1 255.255.255.0 > >>>>>>ip nat inside > >>>>>>bridge-group 1 > >>>>>>! > >>>>>>router eigrp 100 > >>>>>>redistribute static metric 384 255 255 1 1500 > >>>>>>network 10.0.0.0 > >>>>>>auto-summary > >>>>>>no eigrp log-neighbor-changes > >>>>>>! > >>>>>>ip nat inside source list 18 interface FastEthernet0/1 overload > >>>>>>ip nat inside source static 10.1.0.4 12.42.189.4 > >>>>>>ip classless > >>>>>>ip route 0.0.0.0 0.0.0.0 12.42.189.1 > >>>>>>! > >>>>>>logging history debugging > >>>>>>logging 10.1.0.3 > >>>>>>access-list 18 permit 10.1.0.0 0.0.255.255 > >>>>>>access-list 101 permit tcp any any ack > >>>>>>access-list 101 permit udp any any > >>>>>>access-list 101 permit icmp any any > >>>>>>access-list 103 permit tcp any host 12.42.189.4 eq smtp > >>>>>>access-list 103 permit tcp any host 12.42.189.4 eq pop3 > >>>>>>bridge 1 protocol ieee ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29886&t=29794 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
