12-19-2007 09:53 AM - edited 03-09-2019 07:40 PM
Hi,
I have configured a Cisco 1841 IOS firewall. All works well except for PoP3 traffic. If I take out the inspect rule applied outbound on the outside interface and the access list applied inbound to the outside interface PoP3 works.
So i know for sure my config is wrong.
Can someone help pls..
Here is my config:
ip inspect name firewall ftp
ip inspect name firewall http
ip inspect name firewall dns
ip inspect name firewall tcp router-traffic
ip inspect name firewall udp router-traffic
ip inspect name firewall https
ip inspect name firewall smtp
ip inspect name firewall ssh
ip inspect name firewall telnet
ip inspect name firewall pop3
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
no ip route-cache cef
no ip route-cache
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
ip address 99.1.10.11 255.255.252
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip inspect firewall out
ip nat outside
ip nat inside source list 101 interface Serial0/0/0.1 overload
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.0.255 any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any 192.168.0.0 0.0.0.255 time-exceeded
access-list 100 permit icmp any 192.168.0.0 0.0.0.255 packet-too-big
access-list 100 permit icmp any 192.168.0.0 0.0.0.255 traceroute
access-list 100 permit icmp any 192.168.0.0 0.0.0.255 unreachable
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
12-19-2007 12:06 PM
hi,
enable audit-trail for pop3 and see what messages you get.
john
12-19-2007 12:13 PM
i will try that, but turning on audit-trail is for all protocols and not just pop3
12-19-2007 02:10 PM
This is what I got when I enabled audit-trail for pop3
Dec 19 2007 17:50:12.151 UTC: %FW-6-SESS_AUDIT_TRAIL: Stop pop3 session: initiator (192.168.0.134:1503) sent 70 bytes -- responder (99.1.20.2:110) sent 1577 bytes
This is the error message the user got on their PC.
Your message did not reach some or all of the intended recipients.
Subject: test
Sent: 12/19/2007 5:51 PM
The following recipient(s) could not be reached:
'tom@hotmail.com' on 12/19/2007 5:51 PM
550 5.7.1 <tom@hotmail.com>... Relaying denied. IP name possibly forged [99.1.10.11]
99.1.10.11 is the ip address of my router to the public internet.
Any ideas
12-19-2007 06:53 PM
Hi,
This sounds more like a configuration with the mail server (smtp). The mail server will need to allow your ip to send to other domains or it should be set to authenticate when you send.
john
12-20-2007 05:41 AM
I suspected that as well, but when it works without any of the inspect rule and access list on the router. I started thinking maybe my config on the router has issues.
12-20-2007 03:50 PM
Hi,
what mail server are you connecting to? ms exchange or other
try changing the ip inspect smtp to ip inspect esmtp or remove ip inspect smtp.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide