Link to home
Start Free TrialLog in
Avatar of Mango-Man
Mango-Man

asked on

How to Disable SMTP & ESMTP Packet Inspection on a Cisco Box

Hi all,

I have a problem, I have the solution but I don't know how to implement it!

Essentially we have a Cisco router causing the much documented "500 Firewall Error" preventing some outbound SMTP traffic from Microsoft Exchange.

From what I can see on the hundreds of pages online about this, the solution is to disable the outbound SMTP and/or ESMTP packet inspection via the CLI using the command:

no ip inspect name esmtp

Unfortunately, not a single one tells you how to get to the correct point in the CLI to use this command or how to find out the interface name - I've tried all sorts of variations but I'm getting nowhere.

Any help would be much appreciated!

Bob
ASKER CERTIFIED SOLUTION
Avatar of Jody Lemoine
Jody Lemoine
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mango-Man
Mango-Man

ASKER

Hi Jody,

Many thanks - that "show run int x" was all I needed!!

For any UC500, UC520 or UC540 users, you simply need do the following via the CLI (telnet, etc):

Enter the following command when in privilaged mode but NOT in config mode:

show run int FastEthernet0/0

This will give you a response like the following:

Building configuration...

Current configuration : 309 bytes
!
interface FastEthernet0/0
 description $FW_OUTSIDE$
 ip address 69.57.240.34 255.255.255.252
 ip access-group 104 in
 ip nat outside
 ip inspect SDM_MEDIUM out
 ip virtual-reassembly in
 duplex auto
 speed auto
 service-policy input sdmappfwp2p_SDM_MEDIUM
 service-policy output sdmappfwp2p_SDM_MEDIUM
end


Then based on the emboldened element in the output above, you enter the following when IN CONFIG mode (enter config t to enter configuration mode):

no ip inspect name SDM_MEDIUM esmtp

You wont get confirmation, you should get no response (no error) which in Cisco-land is a good thing.

Thanks again Jody

Bob
Hey Bob:

Glad I could help.  Just for reference's sake, it wasn't the service-policy portion of the interface configuration that was important, but the ip inspect statement.

interface FastEthernet0/0
 description $FW_OUTSIDE$
 ip address 69.57.240.34 255.255.255.252
 ip access-group 104 in
 ip nat outside
 ip inspect SDM_MEDIUM out
 ip virtual-reassembly in
 duplex auto
 speed auto
 service-policy input sdmappfwp2p_SDM_MEDIUM
 service-policy output sdmappfwp2p_SDM_MEDIUM
end