2811 IOS Firewall

Unanswered Question
Jun 22nd, 2010

I have a 2811 router with an IOS Firewall and I'm trying to enable smtp through. I've added smtp to the access lists but no joy. I even disabled the access lists and applied one with permit tcp any any and still no joy. I'm suspecting the ip inspect list of which I know nothing but I'll post the config here:

ffmrouter#sho ip inspect config
Dropped packet logging is enabled
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name SDM_HIGH
    icmp alert is on audit-trail is off timeout 10
    pop3 reset is on alert is on audit-trail is off timeout 3600
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    https alert is on audit-trail is off timeout 3600
    Application Policy name SDM_HIGH
      Application http
        strict-http action allow alarm
        port-misuse tunneling action reset alarm


I tried removing the policy from the inide and outside interfaces but lost internet access! Can anyone tell me how I can debug this, or am I barking up the wrong tree?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Tue, 06/22/2010 - 03:09

Do you mind sharing your running configuration?

I don't see inspection for SMTP configured as per "show ip inspect config" output posted earlier.

Eggzter100 Tue, 06/22/2010 - 03:17

Yeah hang on...I'll clean it up a bit. I thought of that and tried putting that in but it didnt work so I took it out again so that it was as I found it. Thanks for the prompt reply.

Eggzter100 Tue, 06/22/2010 - 05:59

Oh hang on! I've sussed it. it was nothing to do with that. there was an old nat statement pointing at an old exchange server.

Thanks for your interest.




This Discussion