09-23-2006 10:33 AM
Dear All,
I have cisco router for internet 1841.
He has 2 interface as following :-
1. Fast Ethernet 0/0 :-
Description : connected to My ISP Router FOR INTERNET Connection. .
IP Address of this Interface : 213.255.237.109 / 255.255.255.248
2. Fast Ethernet 0 /1 :-
Description : connected to My Cisco Switch For Connect devices
IP Address of this Interface : 213.255.237.113 / 255.255.255.248.
The Access List which implemented on it : ip access-group 103 out
The IP Schema for My Company which the ISP Has assign it to me was the following :-
< First Network > :-
Which is assign only to the Interface F0/0 :-
< 213.255.237.104 ? UP TO 213.255.237.111 >
< Second Network >
Which is assign only to the Interface F0/1 :-
< 213.255.237.112 ? UP TO 213.255.237.119 > .
The Route for My traffic is < IP Route 0.0.0.0 0.0.0.0 213.255.237.105 > .
The Cable which is getting out from Interface F 0 / 1, is plugged in UNMANAGED Switch in Port 2 to connect other devices with Network 2 like My Firewall and MY CEO PC under real IP as well .
The FIREWALL Called Fortigate and its configuration as following:-
First Nic :-
IP : 213.255.237.116
SM : 255.255.255.248
GW : 213.255.237.113.
Second Nic
IP Address : 192.168.1.00
SM : 255.255.255.0
All the Users in My LAN Configured to use the FW as NAT , and all of them are configured with it?s as GATEWAY.
Our E-mail Server is Hosted Out side, and we are using the POP3 & SMTP to access it. We do not have exchange server at all,
POP3 : 64.202.165.92
SMTP : 64.202.165.58
There is No any Restriction at all on the Firewall to disable any traffic or stop any thing at all, and every thing is Open in the Inbound & Outbound interfaces on the Firewall.
Now ,
1 PC is located not behind the firewall at all, but they are located behind the Interface F 0 / 1 .
The setting of this PC as following :-
< IP : 213.255.237.119 ? SM : 255.255.255.248 ? GW : 213.255.237.113 ? DNS : 213.255.237.8 > .
This User is reported to me that, he is unable to download his E-mails through POP3, but able to send using SMTP.
All the other users who using Firewall, able to send and receive using POP3 & SMTP without any Problem at all.
He is only the one who have this Problem.
Even if I change the IP and put any other IP from the Second Network, we found the same Problem.
The Access List as following :-
access-list 103 permit tcp any host 213.255.237.116 eq smtp.
access-list 103 permit tcp any host 213.255.237.116 eq pop3.
access-list 1 permit 213.255.237.104 0.0.0.7.
access-list 1 permit 213.255.237.112 0.0.0.7.
access-list 103 permit ip any any.
if you look to the first access list, it meaning like that :
The Router have an extended access list called 103, to permit the TCP Protocol, on Port 25 from any source to this Destination 213.255.237.116 only, as if the POP3 Server & SMTP Server is 213.255.237.116. while this is not the situation at all.
And the same but for POP3.
And I open every thing on Protocol IP From any where to any where .
1- Now, could be the Problem of this user who is using Real IP behind Interface F 0 /1 , the first access list ?
Because its only open smtp for this host only 213.255.237.116 , which is MY FIREWALL ?
Could it be ?
But in the same time, I enable or I open every thing on this access list , so I am getting confused .
2- what will happen if I wrote a special Access-list to enable only this IP like that :-
Access-list 103 permit tcp host 213.255.237.119 any eq SMTP
Access-list 103 Permit tcp host 213.255.237.119 any eq POP3.
3- or should I wrote an access-list to open the POP3 Server which is 64.202.165.92 to this user only like that :-
Access-list 103 Permit tcp host 213.255.237.119 host 64.202.165.92 eq POP3
Access-list 103 Permit tcp host 213.255.237.119 host 64.202.165.58 eq SMTP
4- could be the Problem on the Access-list it self direction ?
should I put it on F0/0 Out?
09-23-2006 10:38 PM
Look at the simple stuff first before you go mucking with your ACLs. If you are running a /29 subnet, .119 is a broadcast address, isn't it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide