Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
0
Helpful
4
Replies

smtp not working with " tcp intercept"

m.athif
Level 1
Level 1

‎03-20-2003 01:32 AM - edited ‎03-02-2019 06:00 AM

We are noticng a strange problem with "tcp intercept". The outgoing mail smtp port 25 does not work , remaning applications work fine.

ip tcp intercept list 101

access-list 101 permit tcp 202.x.x.x any

other parameters are default.

The router configuration is 7206 vxr with 12.2 (13b) IOS .

Labels:
0 Helpful
4 Replies 4

m.athif
Level 1
Level 1

‎03-20-2003 06:53 AM

lately observerd that even pop3 ( port 110 ) has problem . Few of the sites report http issues with the browser just showing " opening the page " and nothing appears. Once we remove intercept everything works fine.

Few more inputs on the setup. We have hundereds of remotes sites which come on private IPs and get NATed at the 7206 router and access internet. Of the late we are noticing lot of Syn attacks at the router and the CPU going 100%, that is the reason we thought of having tcp intercept implemented.

0 Helpful

j.stringer
Level 1
Level 1
In response to m.athif

‎03-20-2003 08:28 AM

Well, I work for a web hosting company and we get the same kind of SYN attacks. The same symptoms .... CPU % maxes out .... TCP intercept will NOT help you with this. We tried .... We turned on Turbo ACL but it doesn't really help much either. I suggest opening a case with the TAC and they will help you to discover if you can prevent this from happening. From experience, You'll just have to wait it out ....

fyi .... We have 7206 vxr's (2) at our border with npe-400's .... we just got a 7206 vxr with a npe-g1 but have not had a chance to put it up against a syn attack yet. Good luck .....

you can contact me if you want to and I can give a point of contact at Cisco (that I have worked with) to help get you started.

0 Helpful

m.athif
Level 1
Level 1
In response to j.stringer

‎03-20-2003 11:26 PM

The problem is I cannot create a TAC case, I have option of only using open forum with my ID. Please let me know how you how you have handled the syn attacks , your suggestion would be highly appreciated.

0 Helpful

j.stringer
Level 1
Level 1
In response to m.athif

‎03-24-2003 04:03 AM

Well, you can always contact your ISP and try to convince them to place a filter at their end. Not at the other end of the link though. (that would just tie up the router at the other end of your link) But rather, somewhere else in their network that would filter the offending address range yet allow you to still pass other traffic back and forth. (btw ... This is the exact info I got from the TAC as well) ... Good luck.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card