Secure IOS Firewall Config

Unanswered Question
Dec 19th, 2007
User Badges:

Hi,


I have configured a Cisco 1841 IOS firewall. All works well except for PoP3 traffic. If I take out the inspect rule applied outbound on the outside interface and the access list applied inbound to the outside interface PoP3 works.


So i know for sure my config is wrong.


Can someone help pls..


Here is my config:


ip inspect name firewall ftp

ip inspect name firewall http

ip inspect name firewall dns

ip inspect name firewall tcp router-traffic

ip inspect name firewall udp router-traffic

ip inspect name firewall https

ip inspect name firewall smtp

ip inspect name firewall ssh

ip inspect name firewall telnet

ip inspect name firewall pop3


interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside


interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

no ip route-cache cef

no ip route-cache

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/0/0.1 point-to-point

ip address 99.1.10.11 255.255.252

ip access-group 100 in

no ip redirects

no ip proxy-arp

ip inspect firewall out

ip nat outside


ip nat inside source list 101 interface Serial0/0/0.1 overload


access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 time-exceeded

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 packet-too-big

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 traceroute

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 unreachable


access-list 101 permit ip 192.168.0.0 0.0.0.255 any






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnd2310 Wed, 12/19/2007 - 12:06
User Badges:
  • Silver, 250 points or more

hi,


enable audit-trail for pop3 and see what messages you get.


john

p.holley Wed, 12/19/2007 - 12:13
User Badges:

i will try that, but turning on audit-trail is for all protocols and not just pop3


p.holley Wed, 12/19/2007 - 14:10
User Badges:

This is what I got when I enabled audit-trail for pop3


Dec 19 2007 17:50:12.151 UTC: %FW-6-SESS_AUDIT_TRAIL: Stop pop3 session: initiator (192.168.0.134:1503) sent 70 bytes -- responder (99.1.20.2:110) sent 1577 bytes


This is the error message the user got on their PC.


Your message did not reach some or all of the intended recipients.

Subject: test

Sent: 12/19/2007 5:51 PM

The following recipient(s) could not be reached:

'tom@hotmail.com' on 12/19/2007 5:51 PM

550 5.7.1 <tom@hotmail.com>... Relaying denied. IP name possibly forged [99.1.10.11]


99.1.10.11 is the ip address of my router to the public internet.




Any ideas


johnd2310 Wed, 12/19/2007 - 18:53
User Badges:
  • Silver, 250 points or more

Hi,


This sounds more like a configuration with the mail server (smtp). The mail server will need to allow your ip to send to other domains or it should be set to authenticate when you send.

john

p.holley Thu, 12/20/2007 - 05:41
User Badges:

I suspected that as well, but when it works without any of the inspect rule and access list on the router. I started thinking maybe my config on the router has issues.

johnd2310 Thu, 12/20/2007 - 15:50
User Badges:
  • Silver, 250 points or more

Hi,

what mail server are you connecting to? ms exchange or other

try changing the ip inspect smtp to ip inspect esmtp or remove ip inspect smtp.


John

Actions

This Discussion