Hi I have 3 interfaces and router 2651 with FW IOS. I want to use CBAC in my network. My configuration looks like :
LAN-eth0--------Router---s0---Internet eth1 | DMZ server x.x.x.x (SMTP, POP3) ip inspect name OUTBOUND smtp alert on audit-trail off ip inspect name OUTBOUND ftp alert on audit-trail off ip inspect name OUTBOUND http alert off audit-trail off ip inspect name OUTBOUND sqlnet alert on audit-trail off ip inspect name OUTBOUND streamworks alert on audit-trail off ip inspect name OUTBOUND h323 alert on audit-trail off ip inspect name OUTBOUND realaudio alert on audit-trail off ip inspect name OUTBOUND tcp alert off audit-trail off ip inspect name OUTBOUND udp alert off audit-trail off ip inspect name INBOUND smtp alert off audit-trail off ip inspect name INBOUND tcp alert off audit-trail off ip inspect name INBOUND udp alert off audit-trail off For eth0 ( ip access-grouop 101 in) access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 deny ip any any log For ser0 (ip access-group 102 in) access-list 102 permit tcp any host x.x.x.x eq smtp log access-list 102 permit tcp any host x.x.x.x eq pop3 log access-list 102 permit tcp any host x.x.x.x eq 22 log access-list 102 permit icmp any any access-list 102 deny ip any any log For eth1(ip access-group 103 in) access-list 103 permit icmp any any access-list 103 permit tcp host x.x.x.x any eq smtp log access-list 103 permit udp host x.x.x.x any eq domain log access-list 103 deny ip any any log I have linux server in DMZ with SMTP and POP3. The problem is with SMTP ( from LAN or from Internet) i can't connect to SMTP server. I have always timeout. In ip inspect session command , I watch the open connection.But it does work. I don't know, maybe there is a feature in CBAC and sendmail :) Thanks for any help Regards MM Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46713&t=46713 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]