Secure IOS Firewall Config

p.holley · ‎12-19-2007

Hi,

I have configured a Cisco 1841 IOS firewall. All works well except for PoP3 traffic. If I take out the inspect rule applied outbound on the outside interface and the access list applied inbound to the outside interface PoP3 works.

So i know for sure my config is wrong.

Can someone help pls..

Here is my config:

ip inspect name firewall ftp

ip inspect name firewall http

ip inspect name firewall dns

ip inspect name firewall tcp router-traffic

ip inspect name firewall udp router-traffic

ip inspect name firewall https

ip inspect name firewall smtp

ip inspect name firewall ssh

ip inspect name firewall telnet

ip inspect name firewall pop3

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

no ip route-cache cef

no ip route-cache

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/0/0.1 point-to-point

ip address 99.1.10.11 255.255.252

ip access-group 100 in

no ip redirects

no ip proxy-arp

ip inspect firewall out

ip nat outside

ip nat inside source list 101 interface Serial0/0/0.1 overload

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 time-exceeded

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 packet-too-big

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 traceroute

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 unreachable

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

johnd2310 · ‎12-19-2007

hi,

enable audit-trail for pop3 and see what messages you get.

john

**Please rate posts you find helpful**

p.holley · ‎12-19-2007

i will try that, but turning on audit-trail is for all protocols and not just pop3

p.holley · ‎12-19-2007

This is what I got when I enabled audit-trail for pop3

Dec 19 2007 17:50:12.151 UTC: %FW-6-SESS_AUDIT_TRAIL: Stop pop3 session: initiator (192.168.0.134:1503) sent 70 bytes -- responder (99.1.20.2:110) sent 1577 bytes

This is the error message the user got on their PC.

Your message did not reach some or all of the intended recipients.

Subject: test

Sent: 12/19/2007 5:51 PM

The following recipient(s) could not be reached:

'tom@hotmail.com' on 12/19/2007 5:51 PM

550 5.7.1 <tom@hotmail.com>... Relaying denied. IP name possibly forged [99.1.10.11]

99.1.10.11 is the ip address of my router to the public internet.

Any ideas

johnd2310 · ‎12-19-2007

Hi,

This sounds more like a configuration with the mail server (smtp). The mail server will need to allow your ip to send to other domains or it should be set to authenticate when you send.

john

**Please rate posts you find helpful**

p.holley · ‎12-20-2007

I suspected that as well, but when it works without any of the inspect rule and access list on the router. I started thinking maybe my config on the router has issues.

johnd2310 · ‎12-20-2007

Hi,

what mail server are you connecting to? ms exchange or other

try changing the ip inspect smtp to ip inspect esmtp or remove ip inspect smtp.

John

**Please rate posts you find helpful**