Priscilla,
Once again you are right on track. I ran into this situation or one like
it not long ago. I was not getting any tcp errors but mail was extremely
slow. The one difference here is my firewall was a OpenBSD firewall.
After putting a sniffer on the line I saw authentication trying to be
used port 113. My mail was taking extremely long to send it would
eventually go but only after the authentication from the client would
timeout. So what I did on OpenBSD firewall to prevent this was build a
rule that sent a reset back to the remote server. The rule looks like so
#REJECT auth connections for fast SMTP handshake
block return-rst in on ne3 proto tcp from any to any port = 113
Basically from my research and sniffer traces when I try to send
outgoing mail from my smtp server the other end server will try and do a
ident lookup on me. This ident service from my knowledge is old and left
over from the days when everyone trusted each other on the internet, the
machine on the other end tries to call you back on port 113 to verify
you are who you say you are. This is what causes the TCP connection on
port 113, if you send a reset back and the attempt is rejected the
remote server just shrugs it off and gets on with the SMTP conversation,
BUT if you deny this attempt as in blocking it the remote server will
just wait until everything times out before getting on with the SMTP
conversation.
Maybe something like this can help you in your endeavor hope this helps.
, ,
/( )`
__ / |
/- _ `-/ '
(// /
/ / | `
O O ) |
`-^--'`Steven A. Ridder wrote:
>
> >Try removing the access lists next. I can't see how POP get's in and
smtp
> >dosen't, especially with CBAC off now.
> >
>I removed all access control from the interface and I still get the
same
>problem.
>I'm going to test it on another router then I'm going after cisco with
>this one.
>Thanks for your help
>
> >
> >
> >""MADMAN"" wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> >
> >>Ray Brehm wrote:
> >>
> >>>MADMAN wrote:
> >>>
> >>>>Yes I have run into problems defining http also. The bottom line
is I
> >>>>now only "inspect" TCP, UDP and FTP. These cover all the others
> >>>>
> >without
> >
> >>>>breaking them!!!
> >>>>
> >>>thanks for the heads up
> >>>I just updated IOS to v12.2.6a (I know I'm crazy but I might want
> >>>cisco's support)
> >>>what version of IOS have these problems?
> >>>
> >> I know it wasn't in 12.2!! As i said before, I don't think it's
doing
> >>anything cept eating up NVRAM when you add, for example, inspect
http
> >>when tcp covers http.
> >>
> >> Dave
> >>
> >>>> Dave
> >>>>
> >>>>"Steven A. Ridder" wrote:
> >>>>
> >>>>>The CBAC dosen't understand ESMTP commands I think. Don't watch
smtp
> >>>>>
> >on
> >
> >>>>>CBAC. I ran into that problem before.
> >>>>>
> >>>>>""Ray Brehm"" wrote in message
> >>>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> >>>>>
> >>>>>>I have a 2621 with IOS IP/FW that I'm unable to connect through
to
> >>>>>>
> >the
> >
> >>>>>>inside SMTP server. I can connect to that same server using POP3
with
> >>>>>>
> >no
> >
> >>>>>>errors. The inside device is a static NAT. The port appears open
when
> >>>>>>
> >I
> >
> >>>>>>port scan the IP address but I get TCP errors when trying to
send
> >>>>>>
> >mail.
> >
> >>>>>>Any ideas? Did I miss something stupid?
> >>>>>>Is the fact that I have multiple "nat inside" interfaces
relevant is
> >>>>>>this situation? (I've never known it to make a difference)
> >>>>>>
> >>>>>>Relevant config:
> >>>>>>
> >>>>>>ip inspect name firewall http
> >>>>>>ip inspect name firewall ftp
> >>>>>>ip inspect name firewall netshow
> >>>>>>ip inspect name firewall realaudio
> >>>>>>ip inspect name firewall rtsp
> >>>>>>ip inspect name firewall smtp
> >>>>>>ip inspect name firewall tcp
> >>>>>>ip inspect name firewall udp
> >>>>>>
> >>>>>>interface FastEthernet0/0
> >>>>>>ip address 10.1.0.1 255.255.255.0
> >>>>>>ip nat inside
> >>>>>>speed 10
> >>>>>>full-duplex
> >>>>>>ntp broadcast
> >>>>>>bridge-group 1
> >>>>>>!
> >>>>>>interface Serial0/0
> >>>>>>ip address 10.1.12.1 255.255.255.0
> >>>>>>ip nat inside
> >>>>>>bridge-group 1
> >>>>>>!
> >>>>>>interface FastEthernet0/1
> >>>>>>ip address 12.42.189.2 255.255.255.240
> >>>>>>ip access-group 103 in
> >>>>>>ip nat outside
> >>>>>>ip inspect firewall out
> >>>>>>duplex auto
> >>>>>>speed auto
> >>>>>>!
> >>>>>>interface Serial0/1
> >>>>>>ip address 10.1.13.1 255.255.255.0
> >>>>>>ip nat inside
> >>>>>>bridge-group 1
> >>>>>>!
> >>>>>>router eigrp 100
> >>>>>>redistribute static metric 384 255 255 1 1500
> >>>>>>network 10.0.0.0
> >>>>>>auto-summary
> >>>>>>no eigrp log-neighbor-changes
> >>>>>>!
> >>>>>>ip nat inside source list 18 interface FastEthernet0/1 overload
> >>>>>>ip nat inside source static 10.1.0.4 12.42.189.4
> >>>>>>ip classless
> >>>>>>ip route 0.0.0.0 0.0.0.0 12.42.189.1
> >>>>>>!
> >>>>>>logging history debugging
> >>>>>>logging 10.1.0.3
> >>>>>>access-list 18 permit 10.1.0.0 0.0.255.255
> >>>>>>access-list 101 permit tcp any any ack
> >>>>>>access-list 101 permit udp any any
> >>>>>>access-list 101 permit icmp any any
> >>>>>>access-list 103 permit tcp any host 12.42.189.4 eq smtp
> >>>>>>access-list 103 permit tcp any host 12.42.189.4 eq pop3
> >>>>>>bridge 1 protocol ieee
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29925&t=29794
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
