URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 16168
[ Назад ]

Исходное сообщение
"ip inspection"
Отправлено Technocrat , 01-Май-08 11:37

Есть циска 2811, которая не пропускает команды протокола esmtp (заменяет на xxxx).
Как можно отключить эту фичу?
show ip inspection all не выдает ничего.

Содержание

ip inspection,CrAzOiD, 17:55 , 01-Май-08
- ip inspection,Technocrat, 23:01 , 02-Май-08
  - ip inspection,CrAzOiD, 23:17 , 02-Май-08
    - ip inspection,Technocrat, 09:34 , 03-Май-08
      - ip inspection,CrAzOiD, 15:50 , 03-Май-08
        
        ip inspection,Technocrat, 23:52 , 03-Май-08

Сообщения в этом обсуждении

"ip inspection"
Отправлено CrAzOiD , 01-Май-08 17:55

>Есть циска 2811, которая не пропускает команды протокола esmtp (заменяет на xxxx).
>
>Как можно отключить эту фичу?
>show ip inspection all не выдает ничего.
нет такой команды
есть sh ip inspect all
показывайте как у вас настроено

"ip inspection"
Отправлено Technocrat , 02-Май-08 23:01

>нет такой команды
>есть sh ip inspect all
Пардон, неправильно написал. sh ip inspect all ничего не выдает
>показывайте как у вас настроено
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ARS
!
boot-start-marker
boot-end-marker
!
logging buffered 10000
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
!
!
aaa session-id common
clock timezone MSK 3
clock summer-time MSK recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
ip cef
!
!
ip port-map user-200 port tcp 200 description for koras
ip port-map user-map port tcp 1233 list 2 description map
ip port-map user-dipost port tcp 225
ip port-map user-quik port tcp 15100 description QUIK
ip port-map user-frsd port tcp 8443 description Frsd-Cabinet
ip port-map user-its port tcp 1911 description ITS
ip domain name ars
ip name-server 217.30.243.130
ip name-server 83.69.115.34
ip ssh authentication-retries 5
ip ssh source-interface FastEthernet0/1
ip ssh rsa keypair-name ars
!
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any frsd
match protocol user-frsd
class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1
match protocol smtp
match protocol pop3
match protocol pop3s
match protocol lotusnote
match protocol lotusmtap
match protocol imap
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match class-map sdm-service-sdm-pol-NATOutsideToInside-1
class-map type inspect imap match-any sdm-app-imap
match  invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any my
match protocol http
match protocol https
match protocol ftp
match protocol ms-sql
match protocol ms-sql-m
match protocol user-200
match protocol user-frsd
match protocol ldap
match protocol ldaps
match protocol ldap-admin
class-map type inspect match-any dipost
match protocol user-dipost
class-map type inspect gnutella match-any sdm-app-gnutella
match  file-transfer
class-map type inspect match-any http
match protocol http
match protocol https
match protocol pop3
match protocol ftp
match protocol ftps
match protocol smtp
class-map type inspect match-any ldap
match protocol ldap-admin
match protocol ldap
match protocol ldaps
class-map type inspect match-any smtp
match protocol smtp
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match  service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices
match  service any
class-map type inspect match-any map
match protocol user-map
class-map type inspect match-all sdm-cls-sdm-inspect-8
match class-map map
match access-group name map
class-map type inspect match-all sdm-cls-sdm-inspect-9
match class-map frsd
match access-group name gulnaz
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-cls-sdm-inspect-2
match class-map http
match access-group name serv
class-map type inspect match-all sdm-cls-sdm-inspect-3
match class-map dipost
match access-group name lilya
class-map type inspect match-any ftp
match protocol ftp
class-map type inspect match-all sdm-cls-sdm-inspect-1
match class-map ftp
match access-group name ftp
class-map type inspect match-any udp
match protocol udp
class-map type inspect match-all sdm-cls-sdm-inspect-6
match class-map udp
match access-group name udp
class-map type inspect match-all sdm-cls-sdm-inspect-7
match class-map ldap
match access-group name mityugova
class-map type inspect aol match-any sdm-app-aol-otherservices
match  service any
class-map type inspect match-any its
match protocol user-its
class-map type inspect match-all sdm-cls-sdm-inspect-4
match class-map its
match access-group name its
class-map type inspect match-all sdm-cls-sdm-inspect-5
match class-map my
match access-group name my
class-map type inspect pop3 match-any sdm-app-pop3
match  invalid-command
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-any to-all
match protocol dns
match protocol lotusnote
match protocol lotusmtap
match protocol pop3
match protocol icmp
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match  file-transfer
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect match-any http-https
match protocol http
match protocol https
class-map type inspect http match-any sdm-http-blockparam
match  request port-misuse im
match  request port-misuse p2p
match  req-resp protocol-violation
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
match access-group name outgoing
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect ymsgr match-any sdm-app-yahoo
match  service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match  service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match  file-transfer
match  text-chat
match  search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match  request method bcopy
match  request method bdelete
match  request method bmove
match  request method bpropfind
match  request method bproppatch
match  request method connect
match  request method copy
match  request method delete
match  request method edit
match  request method getattribute
match  request method getattributenames
match  request method getproperties
match  request method index
match  request method lock
match  request method mkcol
match  request method mkdir
match  request method move
match  request method notify
match  request method options
match  request method poll
match  request method propfind
match  request method proppatch
match  request method put
match  request method revadd
match  request method revlabel
match  request method revlog
match  request method revnum
match  request method save
match  request method search
match  request method setattribute
match  request method startrev
match  request method stoprev
match  request method subscribe
match  request method trace
match  request method unedit
match  request method unlock
match  request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match  search-file-name
match  text-chat
class-map type inspect fasttrack match-any sdm-app-fasttrack
match  file-transfer
class-map type inspect http match-any sdm-http-allowparam
match  request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match  file-transfer
class-map type inspect aol match-any sdm-app-aol
match  service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  drop
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
  log
  allow
class type inspect edonkey sdm-app-edonkeydownload
  log
  allow
class type inspect fasttrack sdm-app-fasttrack
  log
  allow
class type inspect gnutella sdm-app-gnutella
  log
  allow
class type inspect kazaa2 sdm-app-kazaa2
  log
  allow
class class-default
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
  inspect
class class-default
  drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-cls-sdm-inspect-2
  inspect
class type inspect sdm-cls-sdm-inspect-8
  inspect
class type inspect sdm-cls-sdm-inspect-4
  inspect
class type inspect sdm-cls-sdm-inspect-7
  inspect
class type inspect sdm-cls-sdm-inspect-9
  inspect
class type inspect sdm-cls-sdm-inspect-5
  inspect
class type inspect sdm-cls-sdm-inspect-3
  inspect
class type inspect to-all
  inspect
class type inspect sdm-cls-sdm-inspect-6
class type inspect http-https
  drop log
class type inspect smtp
  drop log
class type inspect sdm-cls-sdm-inspect-1
  drop log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
  log
  allow
class type inspect msnmsgr sdm-app-msn
  log
  allow
class type inspect ymsgr sdm-app-yahoo
  log
  allow
class type inspect aol sdm-app-aol-otherservices
  log
  reset
class type inspect msnmsgr sdm-app-msn-otherservices
  log
  reset
class type inspect ymsgr sdm-app-yahoo-otherservices
  log
  reset
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
  log
  reset
class type inspect http sdm-app-httpmethods
  log
  reset
class type inspect http sdm-http-allowparam
  log
  allow
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
  log
class class-default
policy-map type inspect sdm-permit
class type inspect sdm-access
  inspect
class class-default
  drop log
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
  log
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
!
!
interface Loopback0
description $FW_INSIDE$
ip address 192.0.0.1 255.255.255.255
zone-member security in-zone
!
interface Port-channel1
no ip address
hold-queue 300 in
!
interface FastEthernet0/0
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
vlan-id dot1q 2
  exit-vlan-config
!
priority-group 1
!
interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
bandwidth 256
ip address 217.30.242.55 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
priority-group 1
!

"ip inspection"
Отправлено CrAzOiD , 02-Май-08 23:17

>[оверквотинг удален]
> bandwidth 256
> ip address 217.30.242.55 255.255.255.0
> ip nat outside
> ip virtual-reassembly
> zone-member security out-zone
> ip route-cache flow
> duplex auto
> speed auto
> priority-group 1
>!
match protocol smtp
у вас производится проверка протокола smtp
поменяйте на esmtp

"ip inspection"
Отправлено Technocrat , 03-Май-08 09:34

>match protocol smtp
>
>у вас производится проверка протокола smtp
>поменяйте на esmtp
Циска говорит, что не знает такого протокола (esmtp).

"ip inspection"
Отправлено CrAzOiD , 03-Май-08 15:50

>>match protocol smtp
>>
>>у вас производится проверка протокола smtp
>>поменяйте на esmtp
>
>Циска говорит, что не знает такого протокола (esmtp).
тогда вообще уберите инспект smtp

"ip inspection"
Отправлено Technocrat , 03-Май-08 23:52

>тогда вообще уберите инспект smtp
Если убрать - почта вообще не ходит.
Нашел в чьем-то конфиге такую строчку:
match protocol smtp extended
Попробовал добавить слово extended у себя - пошел esmtp!
Спасибо за помощь!