Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Known working code fails on new router

Status
Not open for further replies.
creeping666

creeping666

Technical User
Jan 21, 2009
24
NZ
Hi, I am having trouble locking down inbound SMTP traffic to a group of IP address, the issue is.... previously I have successfully used the same code (see below) on about six routers, but for some reason the code does not work on the new router.

The only difference I can think of is.... the new router came with Advanced Security license and I entered a .lic to upgrade it to Advanced IP Services.


#sh lic command
Code: 
Index 1 Feature: advipservices
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Priority: Medium
Index 2 Feature: advsecurity
        Period left: Life time
        License Type: Permanent
        License State: Active, Not in Use
        License Priority: Medium



Router with issue:
model = 887
version = (C880DATA-UNIVERSALK9-M), Version 12.4(22)YB2


Six routers with same code that work:
model = 877 & 881
version = (C870-ADVIPSERVICESK9-M), Version 12.4(24)T1



Port forward and lockdown code:
Code: 
object-group network SMX_EMAIL_SERVERS
 range 203.84.134.0 203.84.135.255
 range 113.197.64.0 113.197.67.255
exit

ip access-list extended EMAIL_SERVER
 permit ip any host 192.168.35.10
exit

ip access-list extended TRAFFIC_FROM_SMX
 permit ip object-group SMX_EMAIL_SERVERS any
exit

class-map type inspect match-all SMTP_FROM_SMX
 match protocol smtp extended
 match access-group name TRAFFIC_FROM_SMX
exit

class-map type inspect match-any EMAIL_TRAFFIC_IN
 match class-map SMTP_FROM_SMX
 match protocol https
exit

class-map type inspect match-all EMAIL_IN
 match class-map EMAIL_TRAFFIC_IN
 match access-group name EMAIL_SERVER
exit

policy-map type inspect INTERNET-TO-VLAN1
 class type inspect EMAIL_IN
  inspect
 exit
exit

ip nat inside source static tcp 192.168.35.10 25 interface Dialer0 25
ip nat inside source static tcp 192.168.35.10 443 interface Dialer0 443


If I make the following change then email is received fine:

Code: 
class-map type inspect match-any EMAIL_TRAFFIC_IN
 match class-map SMTP_FROM_SMX
 match protocol https
exit

to:

class-map type inspect match-any EMAIL_TRAFFIC_IN
 match protocol smtp extended
 match protocol https
exit


It's almost like when I take out the part of the code that needs the Advanced IP services license "object-group" command everything works fine, but with it... no email is received.

Any ideas? Is there some part of the license activation I have missed or something? I will post whole config if needed.

Thanks.
 
Status
Not open for further replies.

Similar threads

testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
179
testman1
testman1
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
259
iggsterman
iggsterman
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
163
bfordz
bfordz
XLNTech1
  • Locked
  • Question
Cisco Nexus 9k new admin user
Replies
0
Views
416
XLNTech1
XLNTech1
serge9
  • Locked
  • Question
Cisco GUI on cme stop working
Replies
2
Views
196
serge9
serge9

Part and Inventory Search

Sponsor

Back
Top