08-19-2008 01:49 AM - edited 03-06-2019 12:53 AM
Hi,
I recently purchased my first Cisco-device : a 877 adsl-router.
I set up some NAT's, but the problem I have is that I need the ehlo 'function' of my smtp-server. The 877 mangles this so the server does not see ehlo but XXXX, helo comes through without problems.
I think this has to do with inpection but I can't locate this.
Since I know nothing about Cisco's command line I'm using SDM express, and sometimes SDM.
Any suggestions ?
Thanks for any help.
Regards,
Koenraad Lelong.
08-19-2008 06:03 AM
This is standard behaviour.
if cbac is turned on then you can turn off esmtp inspeciton by running this
no ip inspect name INSP_NAME esmtp
HTH - pls rate if it does.
Stephen
08-19-2008 06:56 AM
Thanks for the reply, but ...
In the document you refer to is written :
CBAC is supported in the 1600 and 2500 series.
I have a 800 series device, so unfortunately it does not apply for me. If it does apply to me (the document seems from 2002), I don't know how to see if cbac is on.
Regards,
Koenraad Lelong.
P.S. If a configuration file is needed, I'll be happy to post it.
08-19-2008 07:04 AM
OK, so look at your config. If you have line in it such as
ip inspect name MY_FW esmtp
Then CBAC is on. Content Based Access Control is a concept instead of a command or set of commands. the commands are an ACL on you external interface and the above mentioned ip inspect rules.
Stephen
08-20-2008 12:26 AM
08-20-2008 12:31 AM
Thats odd. I cannot open the attachement. You have a Policy based Cisco IOS firewall setup. Not very familiar with it in terms of configuraiton but, get me the config file and i'll give you the commands to remove SMTP inspection.
Regards
Stephen
08-20-2008 12:51 AM
08-20-2008 12:58 AM
only the text name of the config is there. Strange. Anyway, email it to me...stephenstack(at)gmail.com
08-20-2008 01:22 AM
Ok then try this set of commands in command mode. Not in SDM.
class-map type inspect match-any sdm-cls-insp-traffic
no match protocol smtp extended
Also, don't actually know if you need this server on 26 or if it is even working for you.
But instead of
ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 26
remove it using this
no ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 26
try this
ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 25 extendable
Is it a case that SMTP is now broken. If so type a show start at the command propmt and see if there is a difference
in the startup config and the running config. If there is put back the commands that you removed.
In IOS, if you remove a 'sub' command, you need to put that command back under the main command.
Look for the indents.
i.e.
interface dialer 0
no ip redirects
To put back the no ip redirects command you need to type interface dialer 0 first.
HTH
Stephen
08-20-2008 02:08 AM
Strange things happen : I tried to enter those commands via ssh into the router, but there was an error : invalid input detected ... and the ^ points at the 'a' from 'class-m...'. And I have previlege 15. But ? does not show class-map as a command.
One of the things I tried with SDM was removing that line. If I let SDM show what it does, it's the same sequence of commands, except there are more (it removes some lines and then it adds some of them back).
But it does not work, which means ehlo does not get through. while helo is fine.
About port 26 : for now I want 10.0.0.4:25 to receive mail from external port 25. I want 10.0.0.5:25 to receive mail from external port 26. It works like I want to, except for the problem we're addressing here.
Actually, by now I'm fairly convinced my new mail-server works as expected and I could remove that port 26 and make it live, but the ehlo thing remains.
Thanks for your effort.
08-20-2008 03:49 AM
OK, Have a look at these for EHLO.
The second page shows how to configure IOS policy/zone based FW for ESMTP/EHLO.
Also, try this. From a host outside the firewall. Telnet
Now go back to the router a type sh log.
Post results relevent to smtp here and i'll have a look at this.
Stephen
08-20-2008 05:20 AM
Thanks for the links.
I tried this from the second one (Preventing ESMTP Inspection: Example)
configure terminal
class-map type inspect smtp c1
match cmd verb EHLO
but the last line gives an error : invalid input ...
If I try
match ?
I get :
data-length Specify data transfer length per session
About the log : I get nothing about smtp. I powered off the device and then I tried ehlo. Nothing gets in the log. All I get is stuff about booting. Maybe it's not active ?
Thanks,
Koenraad Lelong
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: