smtp ehlo on a 877 router

Unanswered Question
Aug 19th, 2008


I recently purchased my first Cisco-device : a 877 adsl-router.

I set up some NAT's, but the problem I have is that I need the ehlo 'function' of my smtp-server. The 877 mangles this so the server does not see ehlo but XXXX, helo comes through without problems.

I think this has to do with inpection but I can't locate this.

Since I know nothing about Cisco's command line I'm using SDM express, and sometimes SDM.

Any suggestions ?

Thanks for any help.


Koenraad Lelong.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
KoenraadL Tue, 08/19/2008 - 06:56

Thanks for the reply, but ...

In the document you refer to is written :

CBAC is supported in the 1600 and 2500 series.

I have a 800 series device, so unfortunately it does not apply for me. If it does apply to me (the document seems from 2002), I don't know how to see if cbac is on.


Koenraad Lelong.

P.S. If a configuration file is needed, I'll be happy to post it.

stephen.stack Tue, 08/19/2008 - 07:04

OK, so look at your config. If you have line in it such as

ip inspect name MY_FW esmtp

Then CBAC is on. Content Based Access Control is a concept instead of a command or set of commands. the commands are an ACL on you external interface and the above mentioned ip inspect rules.


KoenraadL Wed, 08/20/2008 - 00:26

There is no ip inspect, but many 'class-map type inspect'. And esmtp is not there, altough there is a 'smtp extended'.

I enclosed my config. I edited it to delete security information.


Koenraad Lelong.

stephen.stack Wed, 08/20/2008 - 00:31

Thats odd. I cannot open the attachement. You have a Policy based Cisco IOS firewall setup. Not very familiar with it in terms of configuraiton but, get me the config file and i'll give you the commands to remove SMTP inspection.



stephen.stack Wed, 08/20/2008 - 00:58

only the text name of the config is there. Strange. Anyway, email it to me...stephenstack(at)

stephen.stack Wed, 08/20/2008 - 01:22

Ok then try this set of commands in command mode. Not in SDM.

class-map type inspect match-any sdm-cls-insp-traffic

no match protocol smtp extended

Also, don't actually know if you need this server on 26 or if it is even working for you.

But instead of

ip nat inside source static tcp 25 interface Dialer0 26

remove it using this

no ip nat inside source static tcp 25 interface Dialer0 26

try this

ip nat inside source static tcp 25 interface Dialer0 25 extendable

Is it a case that SMTP is now broken. If so type a show start at the command propmt and see if there is a difference

in the startup config and the running config. If there is put back the commands that you removed.

In IOS, if you remove a 'sub' command, you need to put that command back under the main command.

Look for the indents.


interface dialer 0

no ip redirects

To put back the no ip redirects command you need to type interface dialer 0 first.



KoenraadL Wed, 08/20/2008 - 02:08

Strange things happen : I tried to enter those commands via ssh into the router, but there was an error : invalid input detected ... and the ^ points at the 'a' from 'class-m...'. And I have previlege 15. But ? does not show class-map as a command.

One of the things I tried with SDM was removing that line. If I let SDM show what it does, it's the same sequence of commands, except there are more (it removes some lines and then it adds some of them back).

But it does not work, which means ehlo does not get through. while helo is fine.

About port 26 : for now I want to receive mail from external port 25. I want to receive mail from external port 26. It works like I want to, except for the problem we're addressing here.

Actually, by now I'm fairly convinced my new mail-server works as expected and I could remove that port 26 and make it live, but the ehlo thing remains.

Thanks for your effort.

stephen.stack Wed, 08/20/2008 - 03:49

OK, Have a look at these for EHLO.

The second page shows how to configure IOS policy/zone based FW for ESMTP/EHLO.

Also, try this. From a host outside the firewall. Telnet 25 then type ehlo.

Now go back to the router a type sh log.

Post results relevent to smtp here and i'll have a look at this.


KoenraadL Wed, 08/20/2008 - 05:20

Thanks for the links.

I tried this from the second one (Preventing ESMTP Inspection: Example)

configure terminal

class-map type inspect smtp c1

match cmd verb EHLO

but the last line gives an error : invalid input ...

If I try

match ?

I get :

data-length Specify data transfer length per session

About the log : I get nothing about smtp. I powered off the device and then I tried ehlo. Nothing gets in the log. All I get is stuff about booting. Maybe it's not active ?


Koenraad Lelong


This Discussion