Cisco 871 SMTP portforward, ESMTP banner/greeting

[evob]

Hi all,

I have a Cisco 871 router which i am using as a backup router for my exchange 2003 server.
I did setup a SMTP portforward to the exchange server.

i verified on grc.com's shieldup that port 25 is open.
Also i can ping my (fake) wan ip 12.123.123.123 that is configured on FastEthernet4.

When i try telnet to test port 25 i don't get the SMTP banner and after a time the connection is timed out.
After 2 days of looking at the config i don't know what to do next.


Thanks,

evob


(fake ip's)

CISCO
WAN: 12.123.123.123
LAN: 10.31.32.254

EXCHANGE
LAN: 10.31.32.10
GATEWAY: 10.31.32.254

This is the 871 config:

--------------
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ghv56n6m68jbklm/
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date bla bla
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name domain.com
ip name-server 123.12.12.12
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 isakmp
ip inspect name DEFAULT100 ipsec-msft
!
!
crypto pki trustpoint TP-self-signed-37082852
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-37082852
revocation-check none
rsakeypair TP-self-signed-37082852
!
username admin privilege 15 secret 5 $8rouhge80gen08)N*0n.
!
!
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 12.123.123.123 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.31.32.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 12.123.123.202
!
!
no ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 10.31.32.10 25 interface FastEthernet4 25
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.31.32.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.31.32.0 0.0.0.255
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.31.32.0 0.0.0.255 any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=19
access-list 101 permit tcp any host 12.123.123.123 eq smtp
access-list 101 permit ip 10.31.32.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 permit icmp any any echo
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip host 10.31.32.10 any
access-list 103 permit tcp any any eq 22 log
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 103 in
terminal-type ssh
transport preferred ssh
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[burtsbees]

ip inspect name DEFAULT100 smtp
int fa4
no ip inspect DEFAULT100 in

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[evob]

Hi burtsbees,

I followed your instructions but it aint working yet.

 

[burtsbees]

What is this for...

access-list 101 permit ip 10.31.32.0 0.0.0.255 any

???

it is backwards!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!