I have an ISR 2811 which acts as Internet Gateway. This router has a primary Internet connection through a Fast Ethernet interface and a secondary through an ADSL interface. This router has been configured for inbound & outbound IP inspection on both WAN interfaces. The same inbound Access List has already been in place on two WAN interfaces permitting only http/https inbound traffic to our web servers and denying all other inbound traffic. All outbound traffic is permitted as well through this router. I have also already configured Policy based routing on this router with a relevant route policy, pushing the outbound traffic from a specific X IP address through the secondary ADSL link and not through the primary Ethernet link that the other Intranet users use as the primary Internet path. There is also a static PAT for this X IP address, which use the public IP address of the associated dialer of the ADSL interface.
What is the problem now? When the user (X IP Address) tries to connect to a public POP3/SMTP Server, never get the connection established. When the same user is routed through the Ethernet interface (PBR disabled) the relevant POP3 connection is fine. Again with the PBR enabled when the same user makes a telnet connection in port 25 on the same public Server, the connection is fine. Trying to telnet on 110 port the connection is failed. From the log messages I noticed that the POP3 connection never get established because the returned traffic is blocked from the inbound WAN access list on ADSL interface. However I cannot understand the reason! Please note again that the two WAN interfaces has the same characteristics regarding the CBAC and ACLs. The only difference is the PAT on the secondary interface. Also note that the X IP Address has unlimited outbound Internet connection and everything works fine except the POP3 traffic.
Can anyone confirm that POP3 traffic should work fine, or is something going on here with CBAC and PAT enabled.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :