After deleting "unrecongnized firewall" by CCA and adding telnet access to my access list for my WAN port, my pop email client is being shut down by the router?
How do I fix this?
ip address 22.214.171.124 255.255.255.192
ip access-group 104 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_MEDIUM out
service-policy input sdmappfwp2p_SDM_MEDIUM
service-policy output sdmappfwp2p_SDM_MEDIUM
Extended IP access list 104
5 permit tcp any any eq telnet (135 matches)
10 deny ip 10.1.10.0 0.0.0.3 any
20 deny ip 10.1.1.0 0.0.0.255 any
30 deny ip 192.168.10.0 0.0.0.255 any
40 permit udp host 126.96.36.199 eq domain any (7245 matches)
50 permit udp host 188.8.131.52 eq domain any (3192 matches)
60 permit icmp any host 184.108.40.206 echo-reply
70 permit icmp any host 220.127.116.11 time-exceeded
80 permit icmp any host 18.104.22.168 unreachable
90 deny ip 10.0.0.0 0.255.255.255 any (24 matches)
100 deny ip 172.16.0.0 0.15.255.255 any
110 deny ip 192.168.0.0 0.0.255.255 any
120 deny ip 127.0.0.0 0.255.255.255 any
130 deny ip host 255.255.255.255 any
140 deny ip host 0.0.0.0 any
150 deny ip any any log (36 matches)
The rules you're referencing are CBAC firewall rules (Context Based Access Control). One is for POP3 and the other is used for IMAP mail servers. They are stateful inspection rules that work at the application layer of the OSI reference model. Essentially, the Cisco CBAC firewall is not only capable of allowing TCP applications out through the firewall and then back in again for something like a pop3 session, but it is also capable of monitoring the code/commands issued by those protocols by inspecting the contents of the packets. This can be used to prevent a custom program from issuing illegal commands to a server in an attempt to crash it (usually via a buffer overflow). It's unlikely that these rules are causing you grief but I suppose it's possible.
I would try removing the rule: "ip inspect name SDM_MEDIUM pop3 reset" as it could be resetting your connection for some reason. You can always reinstate the rule in the same manner minus the "no" modifier.
Router# config t
Router(config)# no ip inspect name SDM_MEDIUM pop3 reset
You can test a pop3 connection from the command prompt (the C:\> prompt in Windows) by using the telnet application to connect to the pop3 port (110) of your ISPs mail server. It's a low level way of determining if you're getting out through the firewall successfully. Replace the bogus address "mail.yourisp.com" with the real address of your ISPs pop3 server. Also, you may wish to temporarily disable any firewall on your Windows workstation. Norton Internet Security has caused me endless grief when it comes to pop3 connections.
## Telnet to POP3 Port Example (successful)
jason-neumanns-macbook:~ jneumann$ telnet mail.yourisp.com 110
Connected to v-msgmmp.yourisp.com.
Escape character is '^]'.
+OK Messaging Multiplexor (Sun Java(tm) System Messaging Server 6.2-3.03 (built Jun 27 2005))
Connection closed by foreign host.
Jason C. Neumann
Author: Cisco Routers for the Small Businerss