Enable SMTP on firewall cisco 1800

andresitotubia — Mon, 11 Mar 2019 19:23:58 GMT

Hi,

I have a printer in my local network and it has a external smtp server for scanner propose.

Yesterday i enable the firewall with the SDM cause i wanted to block URLs. But now im not able to connect to port 25 to the smtp. I tried to clear some config but im not finding where the firewall is blocking the port 25.

Can someone help me

My config

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname xxxx

boot-start-marker

boot-end-marker

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 100200

logging console critical

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

clock timezone PCTime -3

crypto pki trustpoint TP-self-signed-910902666

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-910902666

revocation-check none

rsakeypair TP-self-signed-910902666

no ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.xxx.xxx.1

ip dhcp excluded-address 192.xxx.xxx.2

ip dhcp excluded-address 192.xxx.xxx.3

ip dhcp excluded-address 192.xxx.xxx.4

ip dhcp excluded-address 192.xxx.xxx.5

ip dhcp excluded-address 192.xxx.xxx.6

ip dhcp excluded-address 192.xxx.xxx.7

ip dhcp excluded-address 192.xxx.xxx.8

ip dhcp excluded-address 192.xxx.xxx.9

ip dhcp excluded-address 192.xxx.xxx.10

ip dhcp pool inetjj

network 192.xxx.xxx.0 255.255.255.0

dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

default-router 192.xxx.xxx.1

lease 2

ip domain name yourdomain.com

ip name-server 200.xxx.xxx.xxx

multilink bundle-name authenticated

parameter-map type urlfilter bloqueourl

alert off

source-interface FastEthernet0

allow-mode on

exclusive-domain deny www.youtube.com

exclusive-domain deny www.facebook.com

exclusive-domain deny www.twitter.com

exclusive-domain deny .taringa.net

exclusive-domain deny .rapidshare.com

exclusive-domain deny .megaupload.com

exclusive-domain deny .rojadirecta.com

exclusive-domain deny .justin.tv

exclusive-domain deny .rojadirecta.org

archive

log config

hidekeys

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

match protocol smtp

match protocol pop3

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-invalid-src

match access-group 106

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

match protocol http

match access-group name Bloqueos

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-inspect

class type inspect sdm-protocol-http

inspect

urlfilter bloqueourl

class type inspect sdm-invalid-src

inspect

class type inspect sdm-insp-traffic

inspect

class type inspect SDM-Voice-permit

inspect

class class-default

pass

policy-map type inspect sdm-permit

class class-default

drop

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

interface FastEthernet0

description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip nat outside

no ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed auto

interface BRI0

no ip address

encapsulation hdlc

ip route-cache flow

shutdown

interface FastEthernet1

interface FastEthernet2

interface FastEthernet3

interface FastEthernet4

interface FastEthernet5

switchport access vlan 100

interface FastEthernet6

switchport access vlan 100

interface FastEthernet7

switchport access vlan 100

switchport mode trunk

interface FastEthernet8

switchport access vlan 100

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

interface Vlan1

description $FW_INSIDE$

ip address 1xxx.xxx.xxx.xxx 255.255.254.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

ip tcp adjust-mss 1452

interface Vlan100

description JJINET$FW_INSIDE$

ip address 1xxx.xxx.xxx.xxx 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

ip tcp adjust-mss 1452

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 1xxx.xxx.xxx.xxx

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool rdesktop 172.xxx.xxx.57 172.xxx.xxx.57 netmask 255.255.255.0 type rotary

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

ip nat inside destination list 100 pool rdesktop

ip access-list extended Bloqueos

remark SDM_ACL Category=128

permit ip 192.0.0.0 0.255.255.255 any

permit ip 10.xxx.xxx0 0.0.255.255 any

ip access-list extended SDM_HTTPS

remark SDM_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark SDM_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark SDM_ACL Category=1

permit tcp any any eq 22

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 172.18.1.0 0.0.0.255

access-list 100 permit tcp any any eq 3389

access-list 101 remark SDM_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 106 remark SDM_ACL Category=128

access-list 106 permit ip host 255.255.255.255 any

access-list 106 permit ip 127.0.0.0 0.255.255.255 any

access-list 106 permit ip 190.xxx.xxx.56 0.0.0.7 any

access-list 106 permit ip 192.0.0.0 0.255.255.255 any

access-list 106 permit ip 10.xxx.xxx.0 0.0.255.255 any

access-list 106 permit ip host 200.xxx.xxx.149 any (PRINTER HOST)

access-list 106 permit ip any host 200.xxx.xxx.149 (PRINTER HOST)

snmp-server community asaro RO

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 102

control-plane

banner login ^CCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

end

Re: Enable SMTP on firewall cisco 1800

fadlouni — Mon, 20 Dec 2010 21:18:01 GMT

Hi.

you have in your voice class:

match protocol smtp

the firewall is actively inspecting smtp, it could be finding something it didn't like in your smtp traffic. so enable:

ip inspect log drop-pkt

then check the router logs for the smtp traffic and see why it's dropping it.

Regards,

Fadi.

Re: Enable SMTP on firewall cisco 1800

cadet alain — Tue, 21 Dec 2010 08:50:27 GMT

Hi,

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

you are applying this policy from in to out and you are inspecting smtp so only return traffic from out to in is allowed.

If you want access from outside then you must apply separate policy for your smtp from out to in.

and get rid of match smtp in your class voice as it will be in a new class now.

Regards.

Alain.

topic Re: Enable SMTP on firewall cisco 1800 in Network Security

Enable SMTP on firewall cisco 1800

Re: Enable SMTP on firewall cisco 1800

Re: Enable SMTP on firewall cisco 1800