Re: CBAC question [7:46713]

Sun, 16 Jun 2002 10:52:17 -0700 

is it smtp or esmtp, as the latter doesn't work with cbac

--

RFC 1149 Compliant.



""Marcin Michalski""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi
> I have 3 interfaces and router 2651 with FW IOS.
> I want to use CBAC in my network.
> My configuration looks like :
>
> LAN-eth0--------Router---s0---Internet
>                          eth1
>                              |
>                         DMZ
>                     server x.x.x.x (SMTP, POP3)
>
> ip inspect name OUTBOUND smtp alert on audit-trail off
> ip inspect name OUTBOUND ftp alert on audit-trail off
> ip inspect name OUTBOUND http alert off audit-trail off
> ip inspect name OUTBOUND sqlnet alert on audit-trail off
> ip inspect name OUTBOUND streamworks alert on audit-trail off
> ip inspect name OUTBOUND h323 alert on audit-trail off
> ip inspect name OUTBOUND realaudio alert on audit-trail off
> ip inspect name OUTBOUND tcp alert off audit-trail off
> ip inspect name OUTBOUND udp alert off audit-trail off
> ip inspect name INBOUND smtp alert off audit-trail off
> ip inspect name INBOUND tcp alert off audit-trail off
> ip inspect name INBOUND udp alert off audit-trail off
>
> For eth0 ( ip access-grouop 101 in)
> access-list 101 permit ip 192.168.1.0 0.0.0.255 any
> access-list 101 deny   ip any any log
>
> For ser0 (ip access-group 102 in)
> access-list 102 permit tcp any host x.x.x.x eq smtp log
> access-list 102 permit tcp any host x.x.x.x eq pop3 log
> access-list 102 permit tcp any host x.x.x.x eq 22 log
> access-list 102 permit icmp any any
> access-list 102 deny   ip any any log
>
> For eth1(ip access-group 103 in)
> access-list 103 permit icmp any any
> access-list 103 permit tcp host x.x.x.x any eq smtp log
> access-list 103 permit udp host x.x.x.x any eq domain log
> access-list 103 deny   ip any any log
>
> I have linux server in DMZ with SMTP and POP3. The problem is with SMTP (
> from LAN or from Internet) i can't connect to SMTP server. I have always
> timeout.
> In ip inspect session command , I watch the open connection.But it does
> work.
> I don't know, maybe there is a feature in CBAC and sendmail  :)
> Thanks for any help
> Regards
> MM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46720&t=46713
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to