cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1104
Views
5
Helpful
7
Replies

Disable SMTP inspection on ISR

frenaud3
Level 1
Level 1

We have an ISR4321 router and connecting to an SMTP server on port 25 returns a "220 **********" banner and seems to mess with the traffic. I see instructions on how to disable SMTP fixup on ASA firewalls, but nothing for ISR routers. How do we disable SMTP inspection on an ISR4321 router?

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

Since we do not have your configuration, can you post the configuration, by default nothing block. but we can only confirm is this from ISR or from outside ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

See below config. This is from internal (192.168.1.x) trying to connect to external SMTP server

 


!
! Last configuration change at 11:45:46 MDT Wed Mar 6 2019 by admin
! NVRAM config last updated at 11:11:11 MDT Wed Mar 6 2019 by admin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname HBRT01
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
clock timezone MDT -6 0
!
!
!
!
!
!
!
!
!
!
!


ip name-server 8.8.8.8 8.8.4.4

ip dhcp excluded-address 192.168.48.1 192.168.50.50
!
ip dhcp pool PUBLIC
network 192.168.48.0 255.255.248.0
default-router 192.168.50.1
dns-server 8.8.8.8 8.8.4.4
lease 30
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/0/0.1
description CORP
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.252.0
ip nat inside
no ip virtual-reassembly
!
interface GigabitEthernet0/0/0.50
description PUBLIC
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.248.0
ip nat inside
ip access-group 101 in
!
interface GigabitEthernet0/0/0.65
description RADIOS
encapsulation dot1Q 65
ip address 10.65.66.254 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0/1
ip address 172.16.3.2 255.255.255.252 secondary
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat pool PUBLIC-NAT XXX.XXX.XXX.XXX XXX.XXX.XXX.X netmask 255.255.255.248
ip nat inside source list 50 pool PUBLIC-NAT overload
ip nat inside source list 100 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0.1
ip route 0.0.0.0 0.0.0.0 204.57.127.1
ip route 10.0.10.0 255.255.255.0 172.16.3.1
ip route 10.0.11.0 255.255.255.0 172.16.3.1
ip route 10.0.20.0 255.255.255.0 172.16.3.1
ip route 10.0.21.0 255.255.255.0 172.16.3.1
ip route 10.10.10.0 255.255.255.0 172.16.3.1
!
!
access-list 50 permit 192.168.48.0 0.0.7.255
access-list 100 deny ip 192.168.0.0 0.0.3.255 10.0.10.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.3.255 10.0.11.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.3.255 10.0.20.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.3.255 10.0.21.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.3.255 any
access-list 101 deny ip 192.168.48.0 0.0.7.255 192.168.0.0 0.0.3.255
access-list 101 deny ip 192.168.48.0 0.0.7.255 10.65.66.0 0.0.0.255
access-list 101 permit ip any any
access-list 101 remark BLOCK-INTER-VLAN-ROUTING
!
snmp-server community public RO enable
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
transport input ssh
line vty 5 15
no login
transport input none
!
ntp server 192.168.1.5
!
end

as per the config on high level  i do not see you have anything which you have mentioned in the past post.

 

can you tell in the path what other device connected ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

There is nothing else special connected. The router is connected directly to a switch with a few vLANs on the LAN side and directly to the modem on the WAN side.

 

We are experiencing symptoms similar to this:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113423-asa-esmtp-smtp-inspection.html

This proves that either ISP side ot Far end having issue. so suggest to contact remote end about the issue, so they can make changes as per your requirement if they can.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Alan Ng'ethe
Level 3
Level 3

This could be happening at the remote end. There is nothing in the posted config that would be causing this.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.

Hello,

 

what mail/SMTP server are you connecting to ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: