Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
2
Replies

IOS Firewall Configuration for PoP3

p.holley
Level 1
Level 1

‎12-19-2007 08:53 AM - edited ‎03-12-2019 05:52 PM

Hi,

I have configured a Cisco 1841 IOS firewall. All works well except for PoP3 traffic. If I take out the inspect rule applied outbound on the outside interface and the access list applied inbound to the outside interface PoP3 works.

So i know for sure my config is wrong.

Can someone help pls..

Here is my config:

ip inspect name firewall ftp

ip inspect name firewall http

ip inspect name firewall dns

ip inspect name firewall tcp router-traffic

ip inspect name firewall udp router-traffic

ip inspect name firewall https

ip inspect name firewall smtp

ip inspect name firewall ssh

ip inspect name firewall telnet

ip inspect name firewall pop3

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface Serial0/0/0

no ip address

encapsulation frame-relay IETF

no ip route-cache cef

no ip route-cache

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/0/0.1 point-to-point

ip address 99.1.10.11 255.255.252

ip access-group 100 in

no ip redirects

no ip proxy-arp

ip inspect firewall out

ip nat outside

ip nat inside source list 101 interface Serial0/0/0.1 overload

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 any

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 time-exceeded

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 packet-too-big

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 traceroute

access-list 100 permit icmp any 192.168.0.0 0.0.0.255 unreachable

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

Labels:
0 Helpful
2 Replies 2

p.holley
Level 1
Level 1

‎12-19-2007 02:12 PM

This is what I got when I enabled audit-trail for pop3

Dec 19 2007 17:50:12.151 UTC: %FW-6-SESS_AUDIT_TRAIL: Stop pop3 session: initiator (192.168.0.134:1503) sent 70 bytes -- responder (99.1.20.2:110) sent 1577 bytes

This is the error message the user got on their PC.

Your message did not reach some or all of the intended recipients.

Subject: test

Sent: 12/19/2007 5:51 PM

The following recipient(s) could not be reached:

'tom@hotmail.com' on 12/19/2007 5:51 PM

550 5.7.1 <tom@hotmail.com>... Relaying denied. IP name possibly forged [99.1.10.11]

99.1.10.11 is the ip address of my router to the public internet.

Any ideas

0 Helpful

p.holley
Level 1
Level 1
In response to p.holley

‎12-19-2007 02:51 PM

Also this is for only outgoing emails, incoming works.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card