Can't access IMAP, etc. in DMZ from LAN

sicher · ‎12-09-2020

Hello,

my RV345P can't connect to my mailserver in the DMZ:

2020-12-09T07:57:14+01:00 <info>kernel: [48238.250542] FIREWALL: DROP PACKET is not associated with an existing connectionsIN=eth3.1 OUT=eth3.4094 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=212.x.y.z LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56908 DPT=993 WINDOW=2058 RES=0x00 ACK RST URGP=0 MARK=0x100 
2020-12-09T07:57:14+01:00 <info>kernel: [48238.221792] FIREWALL: DROP PACKET is not associated with an existing connectionsIN=eth3.1 OUT=eth3.4094 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=212.x.y.z LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56907 DPT=993 WINDOW=2058 RES=0x00 ACK RST URGP=0 MARK=0x100 
2020-12-09T07:56:55+01:00 <info>kernel: [48219.405150] FIREWALL ACCEPT:IN=eth3.1 OUT=eth2 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=104.103.72.48 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56910 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x100 
2020-12-09T07:56:55+01:00 <info>kernel: [48219.068582] FIREWALL ACCEPT:IN=eth3.1 OUT=eth2 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=2.18.68.80 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56909 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x100 
2020-12-09T07:56:55+01:00 <info>kernel: [48218.682655] FIREWALL ACCEPT:IN=eth3.1 OUT=eth3.4094 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=212.x.y.z LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56908 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x100 
2020-12-09T07:56:55+01:00 <info>kernel: [48218.653183] FIREWALL ACCEPT:IN=eth3.1 OUT=eth3.4094 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=212.x.y.z LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56907 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x100

I can't receive or send mails from my iMac in the LAN. It works from the WAN side though.

Thank you for your help!

marce1000 · ‎12-09-2020

- Have a review of this document and compare your settings against it :

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/Configuring_DMZ_on_the_RV34x_Series_Router.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

sicher · ‎12-09-2020

Thank you, I checked this already many times and my settings correspond to that.

I really don’t know what else I can try.

Anyone has a solution?

MHM Cisco World · ‎12-09-2020

Mail Server in DMZ is known by DNS for client?

if yes then you need to make
a- client and DMZ can connect directly

make the DNS reply the ip of DMZ server private ip not public ip
b-cleint and DMZ can not connect directly

make the DNS reply the ip of DMZ server public ip

config NAT for client to outside if traffic is go to DMZ server public ip and also in same nat do nat DMZ server from public ip to private ip.

sicher · ‎12-10-2020

Thank you!

I added a static NAT from 192.168.1.100 (DiskStation LAN2) to 212.x.y.z (DiskStation LAN2) for IMAP-993 on WAN1.

It worked and I could check my mail BUT it's not possible to connect to the mail server from outside on port 465 and 587 anymore. Port 25 works. Don't know why a NAT rule for port 993 influences those other ports.

When disabling the NAT rule I receive mails again but can't check it again from my LAN.

MHM Cisco World · ‎12-10-2020

Can I see NAT rule you add?

sicher · ‎12-10-2020

I did a factory reset. Now it added a new firewall rule automatically.

If the NAT rule is enabled I can check and receive mails but the DMZ can't access the internet.

Please see attached screenshots. Thanks!

sicher · ‎12-10-2020

Screenshots again in JPG.

MHM Cisco World · ‎12-10-2020

Sorry can I see all NAT in asa cli

sicher · ‎12-10-2020

How do I do it? I searched for it but found that I need a terminal and a cable.

Is there a way just to SSH into the router?

Martin Aleksandrov · ‎12-10-2020

Hello sicher,

Just a note for the RV345. Аlthough it has a console port it does not support CLI/SSH and you can only access and configure the router through the web GUI. You could enable the Syslog/remote Syslog server and gather the logs after you factory reset the router. Then you can share.

Regards,

Martin

sicher · ‎12-10-2020

Thank you!

Please see the two attached logs. One with the NAT rule enabled one without.

Martin Aleksandrov · ‎12-10-2020

Hi sicher,

Can you try to disable the firewall on the router? With the firewall enabled you would need to set the firewall access rules as shown in the following guide: https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/Configuring_DMZ_on_the_RV34x_Series_Router.html

Regards,

Martin

sicher · ‎12-10-2020

It's ridiculous. After rebooting the router again no access from WAN to mailserver. Had to reboot the DiskStation too just to make it accessible again.

MHM Cisco World · ‎12-10-2020

https://www.cisco.com/c/en/us/support/routers/rv345-dual-gigabit-wan-vpn-router/model.html#ConfigurationExamplesandTechNotes

this link help you