https://community.cisco.com/t5/network-security/ios-firewall-configuration-for-pop3/m-p/819366#M958342 <P>Hi,</P><P></P><P>I have configured a Cisco 1841 IOS firewall. All works well except for PoP3 traffic. If I take out the inspect rule applied outbound on the outside interface and the access list applied inbound to the outside interface PoP3 works.</P><P></P><P>So i know for sure my config is wrong.</P><P></P><P>Can someone help pls..</P><P></P><P>Here is my config:</P><P></P><P>ip inspect name firewall ftp</P><P>ip inspect name firewall http</P><P>ip inspect name firewall dns</P><P>ip inspect name firewall tcp router-traffic</P><P>ip inspect name firewall udp router-traffic</P><P>ip inspect name firewall https</P><P>ip inspect name firewall smtp</P><P>ip inspect name firewall ssh</P><P>ip inspect name firewall telnet</P><P>ip inspect name firewall pop3</P><P></P><P>interface FastEthernet0/0</P><P> ip address 192.168.0.1 255.255.255.0</P><P> ip nat inside</P><P></P><P>interface Serial0/0/0</P><P> no ip address</P><P> encapsulation frame-relay IETF</P><P> no ip route-cache cef</P><P> no ip route-cache</P><P> no fair-queue</P><P> frame-relay lmi-type ansi</P><P>!</P><P>interface Serial0/0/0.1 point-to-point</P><P>ip address 99.1.10.11 255.255.252</P><P> ip access-group 100 in</P><P> no ip redirects</P><P> no ip proxy-arp</P><P> ip inspect firewall out</P><P> ip nat outside</P><P></P><P>ip nat inside source list 101 interface Serial0/0/0.1 overload</P><P></P><P>access-list 100 deny ip host 255.255.255.255 any</P><P>access-list 100 deny ip 192.168.0.0 0.0.0.255 any</P><P>access-list 100 permit icmp any any echo-reply</P><P>access-list 100 permit icmp any 192.168.0.0 0.0.0.255 time-exceeded</P><P>access-list 100 permit icmp any 192.168.0.0 0.0.0.255 packet-too-big</P><P>access-list 100 permit icmp any 192.168.0.0 0.0.0.255 traceroute</P><P>access-list 100 permit icmp any 192.168.0.0 0.0.0.255 unreachable</P><P></P><P>access-list 101 permit ip 192.168.0.0 0.0.0.255 any</P><P></P><P></P><P> </P> Wed, 13 Mar 2019 00:52:38 GMT p.holley 2019-03-13T00:52:38Z https://community.cisco.com/t5/network-security/ios-firewall-configuration-for-pop3/m-p/819366#M958342 <P>Hi,</P><P></P><P>I have configured a Cisco 1841 IOS firewall. All works well except for PoP3 traffic. If I take out the inspect rule applied outbound on the outside interface and the access list applied inbound to the outside interface PoP3 works.</P><P></P><P>So i know for sure my config is wrong.</P><P></P><P>Can someone help pls..</P><P></P><P>Here is my config:</P><P></P><P>ip inspect name firewall ftp</P><P>ip inspect name firewall http</P><P>ip inspect name firewall dns</P><P>ip inspect name firewall tcp router-traffic</P><P>ip inspect name firewall udp router-traffic</P><P>ip inspect name firewall https</P><P>ip inspect name firewall smtp</P><P>ip inspect name firewall ssh</P><P>ip inspect name firewall telnet</P><P>ip inspect name firewall pop3</P><P></P><P>interface FastEthernet0/0</P><P> ip address 192.168.0.1 255.255.255.0</P><P> ip nat inside</P><P></P><P>interface Serial0/0/0</P><P> no ip address</P><P> encapsulation frame-relay IETF</P><P> no ip route-cache cef</P><P> no ip route-cache</P><P> no fair-queue</P><P> frame-relay lmi-type ansi</P><P>!</P><P>interface Serial0/0/0.1 point-to-point</P><P>ip address 99.1.10.11 255.255.252</P><P> ip access-group 100 in</P><P> no ip redirects</P><P> no ip proxy-arp</P><P> ip inspect firewall out</P><P> ip nat outside</P><P></P><P>ip nat inside source list 101 interface Serial0/0/0.1 overload</P><P></P><P>access-list 100 deny ip host 255.255.255.255 any</P><P>access-list 100 deny ip 192.168.0.0 0.0.0.255 any</P><P>access-list 100 permit icmp any any echo-reply</P><P>access-list 100 permit icmp any 192.168.0.0 0.0.0.255 time-exceeded</P><P>access-list 100 permit icmp any 192.168.0.0 0.0.0.255 packet-too-big</P><P>access-list 100 permit icmp any 192.168.0.0 0.0.0.255 traceroute</P><P>access-list 100 permit icmp any 192.168.0.0 0.0.0.255 unreachable</P><P></P><P>access-list 101 permit ip 192.168.0.0 0.0.0.255 any</P><P></P><P></P><P> </P> Wed, 13 Mar 2019 00:52:38 GMT https://community.cisco.com/t5/network-security/ios-firewall-configuration-for-pop3/m-p/819366#M958342 p.holley 2019-03-13T00:52:38Z https://community.cisco.com/t5/network-security/ios-firewall-configuration-for-pop3/m-p/819367#M958343 <HTML><HEAD></HEAD><BODY><P></P><P></P><P>This is what I got when I enabled audit-trail for pop3</P><P></P><P>Dec 19 2007 17:50:12.151 UTC: %FW-6-SESS_AUDIT_TRAIL: Stop pop3 session: initiator (192.168.0.134:1503) sent 70 bytes -- responder (99.1.20.2:110) sent 1577 bytes</P><P></P><P>This is the error message the user got on their PC.</P><P></P><P>Your message did not reach some or all of the intended recipients.</P><P> </P><P> Subject: test</P><P> Sent: 12/19/2007 5:51 PM</P><P> </P><P>The following recipient(s) could not be reached:</P><P> </P><P> '<A href="mailto:tom@hotmail.com">tom@hotmail.com</A>' on 12/19/2007 5:51 PM</P><P> 550 5.7.1 &lt;<A href="mailto:tom@hotmail.com">tom@hotmail.com</A>&gt;... Relaying denied. IP name possibly forged [99.1.10.11]</P><P></P><P>99.1.10.11 is the ip address of my router to the public internet.</P><P></P><P></P><P></P><P>Any ideas</P><P></P></BODY></HTML> Wed, 19 Dec 2007 22:12:06 GMT https://community.cisco.com/t5/network-security/ios-firewall-configuration-for-pop3/m-p/819367#M958343 p.holley 2007-12-19T22:12:06Z https://community.cisco.com/t5/network-security/ios-firewall-configuration-for-pop3/m-p/819368#M958344 <HTML><HEAD></HEAD><BODY><P>Also this is for only outgoing emails, incoming works.</P></BODY></HTML> Wed, 19 Dec 2007 22:51:56 GMT https://community.cisco.com/t5/network-security/ios-firewall-configuration-for-pop3/m-p/819368#M958344 p.holley 2007-12-19T22:51:56Z