Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec vpn tunnel drop packet for exchange server


I have 2 windows domains connected via site-to-site VPN. Both sites are using ios router 1811. Each site has a MS-exchange server. They need to exchange mails via esmtp. But the ip inspect smtp has dropped pkt.

I have a link from microsoft explaining the symptom.

I removed the inspection for smtp/esmtp for outgoing traffic. It worked straight away. But what does ip inspect really inspect? Does this removal downgrade the security?

I once configured a ftp server behind cisco router. It needs ip inspect ftp to be enabled on incoming traffic to make passitave ftp work.

This ip inspection is a black box. When and how to use it?

Can anybody help?


New Member

Re: ipsec vpn tunnel drop packet for exchange server


Try to put one access-list for allowing SMTP traffic and apply the ACL in to interface

New Member

Re: ipsec vpn tunnel drop packet for exchange server

Sorry for the late reply.

I have disabled the inspection of smtp. Cisco smtp inspection only allow 7 smtp minimal commands. MS-exchange using extended smtp command which is dropped.


This section describes how application inspection works with the Simple Mail Transfer Protocol

(SMTP). It includes the following topics:

• Application Inspection, page 5-12

• Sample Configuration, page 5-13

You can use the fixup command to change the default port assignment for SMTP. The command syntax

is as follows.

fixup protocol smtp [port[-port]]

The fixup protocol smtp command enables the Mail Guard feature. This restricts mail servers to

receiving the seven minimal commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA,

RSET, NOOP, and QUIT). All other commands are rejected.

Microsoft Exchange server does not strictly comply with RFC 821 section 4.5.1, using extended SMTP

commands such as EHLO. PIX Firewall will convert any such commands into NOOP commands, which

as specified by the RFC, forces SMTP servers to fall back to using minimal SMTP commands only. This

may cause Microsoft Outlook clients and Exchange servers to function unpredictably when their

connection passes through PIX Firewall.

Use the port option to change the default port assignments from 25. Use the -port option to apply SMTP

application inspection to a range of port numbers.

As of Version 5.1 and higher, the fixup protocol smtp command changes the characters in the server

SMTP banner to asterisks except for the “2”, “0”, “0” characters. Carriage return (CR) and linefeed (LF)

characters are ignored. PIX Firewall Version 4.4 converts all characters in the SMTP banner to asterisks.

I dont know how to bypass it in IOS router. What i can do is to disable it. It will be appreciated if you know any way to get around it?