Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
6
Replies

Access to Microsoft SMTP server breaks via my Cisco 837

localgareth
Level 1
Level 1

‎09-28-2005 01:00 AM - edited ‎03-09-2019 12:32 PM

Hi

I cannot authenticate with my Microsoft SMTP server when traffic flows through my 837 router.

I've found the 'no fixup protocol smtp 25' command, which seems only to be appropriate for PIX.

Is there an equivalent for my router?

Any info much appreciated.

Thanks

Gareth

Labels:
0 Helpful
6 Replies 6

jackko
Level 7
Level 7

‎09-28-2005 06:19 AM

are you using outlook trying to connect exchange server from the internet? if so, you need to configure an acl permitting tcp port 143 as well as a static statement.

e.g.

ip nat inside source static tcp 143 143

access-list 111 permit tcp any host eq 143

however, may i suggest that this setup is not very secure. i would either setup remote vpn access on the router (remote user connect to exchange server via ipsec tunnel) or setup owa.

0 Helpful

localgareth
Level 1
Level 1
In response to jackko

‎09-28-2005 06:48 AM

Hi Guys

Thanks for the messages. I'm collecting email via POP3 from Outlook clients, which works fine, it's the authentication for outgoing SMTP that fails. Relaying through a server that requires no authentication works fine.

I've got...

ip inspect name DEF-INSPECT smtp

... and on my dialer....

ip inspect DEF-INSPECT out

I'm a bit of a newbie, sorry if this post is unclear.

0 Helpful

vvandriel
Level 1
Level 1
In response to localgareth

‎09-29-2005 04:07 AM

Just try to remove the ip insect name DEF-INSPECT smtp command and test if it works..

Vincent

0 Helpful

localgareth
Level 1
Level 1
In response to vvandriel

‎09-29-2005 07:52 AM

Hi Vincent

Thanks for the reply. I'll give that a try.

If I telnet to my mailserver on port 25 that sits on the internet, and issue a command that isn't (HELO, MAIL, RCPT, DATA, RSET, NOOP or QUIT), I should just see an 'OK' yeah?

Once I remove the "ip insect name DEF-INSPECT smtp" command, I should get no OK message when I issue commands that are not part of the above set (RFC821)?

Thanks

Gareth

0 Helpful

vvandriel
Level 1
Level 1

‎09-28-2005 06:27 AM

Hi,

Assuming you are running an IOS firewall image and have CBAC setup, you should look for the following:

-ip inspect name anyname smtp timeout 3600

This would also require the inspection named 'anyname' applied to the inside interface.

interface Ethernet0/0

ip inspect anyname in

..

Simply entering 'no ip inspect name anyname smtp' turns of SMTP inspection.

If you are not running above setup my best quess is that you are hitting an ACL or a NAT issue as described by jacko.

Vincent

0 Helpful

paddyxdoyle
Level 6
Level 6

‎09-29-2005 03:11 AM

I came across a similar problem last week, looking through the forum i found out that there is a bug on certain versions of IOS that prevents exteral hosts accessing internal when running CBAC (ip inspect).

This may not be relevant to you but might be worth a look

Have a look here:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=

General&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.eeaac1

1/0#selected_message

and here:

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCec78231&Submit=Search

HTH

Paddy

0 Helpful
Customers Also Viewed These Support Documents