01-15-2008 07:39 AM - edited 03-11-2019 04:48 AM
I have a client that is using a mindspring mail account that requires them to use port 587 for their smtp service. They have ip inspects running on their router. The client makes the initial connection, then nothing happens. I am wondering if its the ip inspect configuration that is causing the issues, any thoughts? Here is the setup for the port in question:
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 dns
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 https
ip inspect name sdm_ins_in_100 icmp
ip inspect name sdm_ins_in_100 imap
ip inspect name sdm_ins_in_100 pop3
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 esmtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 msexch-routing
ip inspect name sdm_ins_in_100 microsoft-ds
ip inspect name sdm_ins_in_100 ms-cluster-net
ip inspect name sdm_ins_in_100 ms-dotnetster
ip inspect name sdm_ins_in_100 ms-sna
ip inspect name sdm_ins_in_100 ms-sql
ip inspect name sdm_ins_in_100 ms-sql-m
ip inspect name sdm_ins_in_100 netbios-dgm
ip inspect name sdm_ins_in_100 netbios-ssn
ip inspect name sdm_ins_in_100 r-winsock
ip inspect name sdm_ins_in_100 citrix
ip inspect name sdm_ins_in_100 citriximaclient
ip inspect name sdm_ins_in_100 ica
ip inspect name sdm_ins_in_100 icabrowser
ip inspect name sdm_ins_in_100 pptp
ip inspect name sdm_ins_in_100 netbios-ns
ip inspect name sdm_ins_in_100 ntp
no ip ips deny-action ips-interface
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip address 172.16.1.25 255.255.252.0
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect sdm_ins_in_100 in
ip virtual-reassembly
no snmp trap link-status
no cdp enable
access-list 150 remark Auto generated by SDM for NTP (123) 199.240.130.1
access-list 150 permit udp host 199.240.130.1 eq ntp host 172.16.1.25 eq ntp
access-list 150 permit tcp any any eq 3389
access-list 150 deny ip 127.0.0.0 0.255.255.255 any
access-list 150 deny ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 permit eigrp any any
access-list 150 permit ip any any
01-15-2008 01:51 PM
I believe your issue is that the IOS CBAC has a default SMTP entry of port 25. You need to tell the IOS that there is a different port. Try the following from CONFIG mode:
"ip port-map smtp port 587"
Please see the following for more info:
http://www.cisco.com/warp/public/110/iosfwfaq.html#qa6
Hope this helps,
Luke
01-16-2008 07:17 AM
Would that change all the smtp traffic to port 587? They use a few different off site servers and esmtp for syncing their blackberries and what not. CBAC doesn't allow of stmp and esmtp to be configured.
01-16-2008 07:32 AM
Ok, since you don't want to break other traffic on 25, you can create a user defined port map and attach that to the inspect rule. Take a look at my second link in my original post at "user defined port mapping". You can create another inspect rule, name it as you wish, and attach it to your inspect group.
--Luke
01-16-2008 07:34 AM
Thanks Luke, that's the direction I was looking for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide