Thanks for the reply, but ...

In the document you refer to is written :

CBAC is supported in the 1600 and 2500 series.

I have a 800 series device, so unfortunately it does not apply for me. If it does apply to me (the document seems from 2002), I don't know how to see if cbac is on.

Regards,

Koenraad Lelong.

P.S. If a configuration file is needed, I'll be happy to post it.

OK, so look at your config. If you have line in it such as

ip inspect name MY_FW esmtp

Then CBAC is on. Content Based Access Control is a concept instead of a command or set of commands. the commands are an ACL on you external interface and the above mentioned ip inspect rules.

Stephen

There is no ip inspect, but many 'class-map type inspect'. And esmtp is not there, altough there is a 'smtp extended'.

I enclosed my config. I edited it to delete security information.

Regards,

Koenraad Lelong.

Thats odd. I cannot open the attachement. You have a Policy based Cisco IOS firewall setup. Not very familiar with it in terms of configuraiton but, get me the config file and i'll give you the commands to remove SMTP inspection.

Regards

Stephen

New try with the config-file. This time in dos-mode (cr/lf).

only the text name of the config is there. Strange. Anyway, email it to me...stephenstack(at)gmail.com

Ok then try this set of commands in command mode. Not in SDM.

class-map type inspect match-any sdm-cls-insp-traffic

no match protocol smtp extended

Also, don't actually know if you need this server on 26 or if it is even working for you.

But instead of

ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 26

remove it using this

no ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 26

try this

ip nat inside source static tcp 10.0.0.5 25 interface Dialer0 25 extendable

Is it a case that SMTP is now broken. If so type a show start at the command propmt and see if there is a difference

in the startup config and the running config. If there is put back the commands that you removed.

In IOS, if you remove a 'sub' command, you need to put that command back under the main command.

Look for the indents.

i.e.

interface dialer 0

no ip redirects

To put back the no ip redirects command you need to type interface dialer 0 first.

HTH

Stephen

Strange things happen : I tried to enter those commands via ssh into the router, but there was an error : invalid input detected ... and the ^ points at the 'a' from 'class-m...'. And I have previlege 15. But ? does not show class-map as a command.

One of the things I tried with SDM was removing that line. If I let SDM show what it does, it's the same sequence of commands, except there are more (it removes some lines and then it adds some of them back).

But it does not work, which means ehlo does not get through. while helo is fine.

About port 26 : for now I want 10.0.0.4:25 to receive mail from external port 25. I want 10.0.0.5:25 to receive mail from external port 26. It works like I want to, except for the problem we're addressing here.

Actually, by now I'm fairly convinced my new mail-server works as expected and I could remove that port 26 and make it live, but the ehlo thing remains.

Thanks for your effort.

OK, Have a look at these for EHLO.

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_esmtp_fwall_supp_ps6441_TSD_Products_Configuration_Guide_Chapter.html

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_app_insp_ctrl_smtp.html#wp1090033

The second page shows how to configure IOS policy/zone based FW for ESMTP/EHLO.

Also, try this. From a host outside the firewall. Telnet 25 then type ehlo.

Now go back to the router a type sh log.

Post results relevent to smtp here and i'll have a look at this.

Stephen

Thanks for the links.

I tried this from the second one (Preventing ESMTP Inspection: Example)

configure terminal

class-map type inspect smtp c1

match cmd verb EHLO

but the last line gives an error : invalid input ...

If I try

match ?

I get :

data-length Specify data transfer length per session

About the log : I get nothing about smtp. I powered off the device and then I tried ehlo. Nothing gets in the log. All I get is stuff about booting. Maybe it's not active ?

Thanks,

Koenraad Lelong