I recently made some changes to our Cisco UC540 Firewall/Router/PBX unit and a problem I had long thought we’d seen the back of reared it’s ugly head, random emails bouncing with an error similar to the following:
#500 Firewall Error ##
As has been documented in numerous places, this is caused by Cisco firewalls being over-zealous with their outbound ESMTP packet inspection, it can be disabled easily enough (instructions further down). What frustrated me is that I know I saved the configuration last time I did this and performed my usual backup but here the problem was again.
After a little research, it turns out that changes to the UC540 via CCA can – without warning or notification – re-enable the packet filter and so re-awaken the demon problem. Unfortunately it doesn’t seem there is anyway around this at the moment.
How to Disable SMTP Packet Inspection
These instructions work on our Cisco UC540 box but may be slightly different for yours, for anyone looking for a reference for the Cisco Command Line Interface, I highly recommend keeping a paper copy of the CCNA Portable Command Guide around:
Telnet in to your unit
Before you do anything else (including entering Config t mode), type:
Show run int FastEthernet0/0
Current configuration : 309 bytes ! interface FastEthernet0/0 description $FW_OUTSIDE$ ip address 220.127.116.11 255.255.255.252 ip access-group 104 in ip nat outside ip inspect<strong> SDM_MEDIUM</strong> out ip virtual-reassembly in duplex auto speed auto service-policy input sdmappfwp2p_SDM_MEDIUM service-policy output sdmappfwp2p_SDM_MEDIUM end
Note down the portion in bold (SDM_MEDIUM)
Enter the configuration mode by entering the following:
Enter the following command replacing SDM_MEDIUM with whatever your script returned:
no ip inspect name SDM_MEDIUM esmtp
If done correctly you will get no confirmation and no error which in Cisco-land is a good thing, programming a confirmation message is obviously beyond Cisco’s developers.
If you’ve got a Cisco unit that you’re now responsible for I’d also recommend getting the CCNA Command Quick Reference – good to have in times of need!