08-07-2008 05:21 AM - edited 03-03-2019 11:03 PM
Hi,
I have 2 windows domains connected via site-to-site VPN. Both sites are using ios router 1811. Each site has a MS-exchange server. They need to exchange mails via esmtp. But the ip inspect smtp has dropped pkt.
I have a link from microsoft explaining the symptom.
http://support.microsoft.com/kb/924237
I removed the inspection for smtp/esmtp for outgoing traffic. It worked straight away. But what does ip inspect really inspect? Does this removal downgrade the security?
I once configured a ftp server behind cisco router. It needs ip inspect ftp to be enabled on incoming traffic to make passitave ftp work.
This ip inspection is a black box. When and how to use it?
Can anybody help?
Thanks
08-10-2008 08:49 AM
Hi,
Try to put one access-list for allowing SMTP traffic and apply the ACL in to interface
08-16-2008 02:41 AM
Sorry for the late reply.
I have disabled the inspection of smtp. Cisco smtp inspection only allow 7 smtp minimal commands. MS-exchange using extended smtp command which is dropped.
SMTP
This section describes how application inspection works with the Simple Mail Transfer Protocol
(SMTP). It includes the following topics:
⢠Application Inspection, page 5-12
⢠Sample Configuration, page 5-13
You can use the fixup command to change the default port assignment for SMTP. The command syntax
is as follows.
fixup protocol smtp [port[-port]]
The fixup protocol smtp command enables the Mail Guard feature. This restricts mail servers to
receiving the seven minimal commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA,
RSET, NOOP, and QUIT). All other commands are rejected.
Microsoft Exchange server does not strictly comply with RFC 821 section 4.5.1, using extended SMTP
commands such as EHLO. PIX Firewall will convert any such commands into NOOP commands, which
as specified by the RFC, forces SMTP servers to fall back to using minimal SMTP commands only. This
may cause Microsoft Outlook clients and Exchange servers to function unpredictably when their
connection passes through PIX Firewall.
Use the port option to change the default port assignments from 25. Use the -port option to apply SMTP
application inspection to a range of port numbers.
As of Version 5.1 and higher, the fixup protocol smtp command changes the characters in the server
SMTP banner to asterisks except for the â2â, â0â, â0â characters. Carriage return (CR) and linefeed (LF)
characters are ignored. PIX Firewall Version 4.4 converts all characters in the SMTP banner to asterisks.
I dont know how to bypass it in IOS router. What i can do is to disable it. It will be appreciated if you know any way to get around it?
Cheers,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: