Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1054
Views
0
Helpful
2
Replies

Enable SMTP on firewall cisco 1800

andresitotubia
Level 1
Level 1

‎12-17-2010 07:37 AM - edited ‎03-11-2019 12:23 PM

Hi,

I have a printer in my local network and it has a external smtp server for scanner propose.

Yesterday i enable the firewall with the SDM cause i wanted to block URLs. But now im not able to connect to port 25 to the smtp. I tried to clear some config but im not finding where the firewall is blocking the port 25.

Can someone help me

My config

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname xxxx

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 100200

logging console critical

!

aaa new-model

!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -3
!
crypto pki trustpoint TP-self-signed-910902666
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-910902666
revocation-check none
rsakeypair TP-self-signed-910902666
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.xxx.xxx.1
ip dhcp excluded-address 192.xxx.xxx.2
ip dhcp excluded-address 192.xxx.xxx.3
ip dhcp excluded-address 192.xxx.xxx.4
ip dhcp excluded-address 192.xxx.xxx.5
ip dhcp excluded-address 192.xxx.xxx.6
ip dhcp excluded-address 192.xxx.xxx.7
ip dhcp excluded-address 192.xxx.xxx.8
ip dhcp excluded-address 192.xxx.xxx.9
ip dhcp excluded-address 192.xxx.xxx.10
!
ip dhcp pool inetjj
   network 192.xxx.xxx.0 255.255.255.0
   dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
   default-router 192.xxx.xxx.1
   lease 2
!
!
ip domain name yourdomain.com
ip name-server 200.xxx.xxx.xxx
ip name-server 200.xxx.xxx.xxx
!
multilink bundle-name authenticated
parameter-map type urlfilter bloqueourl
alert off
source-interface FastEthernet0
allow-mode on
exclusive-domain deny www.youtube.com
exclusive-domain deny www.facebook.com
exclusive-domain deny www.twitter.com
exclusive-domain deny .taringa.net
exclusive-domain deny .rapidshare.com
exclusive-domain deny .megaupload.com
exclusive-domain deny .rojadirecta.com
exclusive-domain deny .justin.tv
exclusive-domain deny .rojadirecta.org
!
!
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
match protocol smtp
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 106
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
match access-group name Bloqueos
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-inspect
class type inspect sdm-protocol-http
  inspect
  urlfilter bloqueourl
class type inspect sdm-invalid-src
  inspect
class type inspect sdm-insp-traffic
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect sdm-permit
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip nat outside
no ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
switchport access vlan 100
!
interface FastEthernet6
switchport access vlan 100
!
interface FastEthernet7
switchport access vlan 100
switchport mode trunk
!
interface FastEthernet8
switchport access vlan 100
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
description $FW_INSIDE$
ip address 1xxx.xxx.xxx.xxx 255.255.254.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan100
description JJINET$FW_INSIDE$
ip address 1xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1xxx.xxx.xxx.xxx
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool rdesktop 172.xxx.xxx.57 172.xxx.xxx.57 netmask 255.255.255.0 type rotary
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside destination list 100 pool rdesktop
ip access-list extended Bloqueos
remark SDM_ACL Category=128
permit ip 192.0.0.0 0.255.255.255 any
permit ip 10.xxx.xxx0 0.0.255.255 any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.18.1.0 0.0.0.255
access-list 100 permit tcp any any eq 3389
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip host 255.255.255.255 any
access-list 106 permit ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip 190.xxx.xxx.56 0.0.0.7 any
access-list 106 permit ip 192.0.0.0 0.255.255.255 any
access-list 106 permit ip 10.xxx.xxx.0 0.0.255.255 any
access-list 106 permit ip host 200.xxx.xxx.149 any    (PRINTER HOST)
access-list 106 permit ip any host 200.xxx.xxx.149    (PRINTER HOST)
snmp-server community asaro RO
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
!
end

Labels:
0 Helpful
2 Replies 2

fadlouni
Level 1
Level 1

‎12-20-2010 01:18 PM

Hi.

you have in your voice class:

match protocol smtp

the firewall is actively inspecting smtp, it could be finding something it didn't like in your smtp traffic. so enable:

ip inspect log drop-pkt

then check the router logs for the smtp traffic and see why it's dropping it.

Regards,

Fadi.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to fadlouni

‎12-21-2010 12:50 AM

Hi,

zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect


you are applying this policy from in to out and you are inspecting smtp so only return traffic from out to in is allowed.
If you want access from outside then you must apply separate policy for your smtp from out to in.
and get rid of match smtp in your class voice as it will be in a new class now.

Regards.

Alain.


Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card