Secure IOS Firewall Config

Unanswered Question
Dec 19th, 2007
User Badges:


I have configured a Cisco 1841 IOS firewall. All works well except for PoP3 traffic. If I take out the inspect rule applied outbound on the outside interface and the access list applied inbound to the outside interface PoP3 works.

So i know for sure my config is wrong.

Can someone help pls..

Here is my config:

ip inspect name firewall ftp

ip inspect name firewall http

ip inspect name firewall dns

ip inspect name firewall tcp router-traffic

ip inspect name firewall udp router-traffic

ip inspect name firewall https

ip inspect name firewall smtp

ip inspect name firewall ssh

ip inspect name firewall telnet

ip inspect name firewall pop3

interface FastEthernet0/0

ip address

ip nat inside

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

no ip route-cache cef

no ip route-cache

no fair-queue

frame-relay lmi-type ansi


interface Serial0/0/0.1 point-to-point

ip address 255.255.252

ip access-group 100 in

no ip redirects

no ip proxy-arp

ip inspect firewall out

ip nat outside

ip nat inside source list 101 interface Serial0/0/0.1 overload

access-list 100 deny ip host any

access-list 100 deny ip any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any time-exceeded

access-list 100 permit icmp any packet-too-big

access-list 100 permit icmp any traceroute

access-list 100 permit icmp any unreachable

access-list 101 permit ip any

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
johnd2310 Wed, 12/19/2007 - 12:06
User Badges:
  • Silver, 250 points or more


enable audit-trail for pop3 and see what messages you get.


p.holley Wed, 12/19/2007 - 12:13
User Badges:

i will try that, but turning on audit-trail is for all protocols and not just pop3

p.holley Wed, 12/19/2007 - 14:10
User Badges:

This is what I got when I enabled audit-trail for pop3

Dec 19 2007 17:50:12.151 UTC: %FW-6-SESS_AUDIT_TRAIL: Stop pop3 session: initiator ( sent 70 bytes -- responder ( sent 1577 bytes

This is the error message the user got on their PC.

Your message did not reach some or all of the intended recipients.

Subject: test

Sent: 12/19/2007 5:51 PM

The following recipient(s) could not be reached:

'' on 12/19/2007 5:51 PM

550 5.7.1 <>... Relaying denied. IP name possibly forged [] is the ip address of my router to the public internet.

Any ideas

johnd2310 Wed, 12/19/2007 - 18:53
User Badges:
  • Silver, 250 points or more


This sounds more like a configuration with the mail server (smtp). The mail server will need to allow your ip to send to other domains or it should be set to authenticate when you send.


p.holley Thu, 12/20/2007 - 05:41
User Badges:

I suspected that as well, but when it works without any of the inspect rule and access list on the router. I started thinking maybe my config on the router has issues.

johnd2310 Thu, 12/20/2007 - 15:50
User Badges:
  • Silver, 250 points or more


what mail server are you connecting to? ms exchange or other

try changing the ip inspect smtp to ip inspect esmtp or remove ip inspect smtp.



This Discussion