cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1630
Views
0
Helpful
16
Replies

Can't access IMAP, etc. in DMZ from LAN

sicher
Level 1
Level 1

Hello,

 

my RV345P can't connect to my mailserver in the DMZ:

 

2020-12-09T07:57:14+01:00 <info>kernel: [48238.250542] FIREWALL: DROP PACKET is not associated with an existing connectionsIN=eth3.1 OUT=eth3.4094 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=212.x.y.z LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56908 DPT=993 WINDOW=2058 RES=0x00 ACK RST URGP=0 MARK=0x100 
2020-12-09T07:57:14+01:00 <info>kernel: [48238.221792] FIREWALL: DROP PACKET is not associated with an existing connectionsIN=eth3.1 OUT=eth3.4094 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=212.x.y.z LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56907 DPT=993 WINDOW=2058 RES=0x00 ACK RST URGP=0 MARK=0x100
2020-12-09T07:56:55+01:00 <info>kernel: [48219.405150] FIREWALL ACCEPT:IN=eth3.1 OUT=eth2 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=104.103.72.48 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56910 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x100
2020-12-09T07:56:55+01:00 <info>kernel: [48219.068582] FIREWALL ACCEPT:IN=eth3.1 OUT=eth2 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=2.18.68.80 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56909 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x100
2020-12-09T07:56:55+01:00 <info>kernel: [48218.682655] FIREWALL ACCEPT:IN=eth3.1 OUT=eth3.4094 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=212.x.y.z LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56908 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x100
2020-12-09T07:56:55+01:00 <info>kernel: [48218.653183] FIREWALL ACCEPT:IN=eth3.1 OUT=eth3.4094 DST_MAC=10:f9:20:13:97:3d SRC_MAC=:ac:87:a3:26:ce:9e src=192.168.1.101 DST=212.x.y.z LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=56907 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x100

 

I can't receive or send mails from my iMac in the LAN. It works from the WAN side though.

 

Thank you for your help!

16 Replies 16

marce1000
VIP
VIP

 

                               - Have a review of this document and compare your settings against it :

         https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/Configuring_DMZ_on_the_RV34x_Series_Router.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thank you, I checked this already many times and my settings correspond to that.

 

I really don’t know what else I can try.

 

Anyone has a solution?

Mail Server in DMZ is known by DNS for client?

if yes then you need to make 
a- client and DMZ can connect directly 

make the DNS reply the ip of DMZ server private ip not public ip 
b-cleint and DMZ can not connect directly 

make the DNS reply the ip of DMZ server public ip 

config NAT for client to outside if traffic is go to DMZ server public ip and also in same nat do nat DMZ server from public ip to private ip.

Thank you!

 

I added a static NAT from 192.168.1.100 (DiskStation LAN2) to 212.x.y.z (DiskStation LAN2) for IMAP-993 on WAN1.

 

It worked and I could check my mail BUT it's not possible to connect to the mail server from outside on port 465 and 587 anymore. Port 25 works. Don't know why a NAT rule for port 993 influences those other ports.

 

When disabling the NAT rule I receive mails again but can't check it again from my LAN.

Can I see NAT rule you add?

I did a factory reset. Now it added a new firewall rule automatically.

 

If the NAT rule is enabled I can check and receive mails but the DMZ can't access the internet.

 

Please see attached screenshots. Thanks!

 

Screenshots again in JPG.

Sorry can I see all NAT in asa cli 

How do I do it? I searched for it but found that I need a terminal and a cable. 

 

Is there a way just to SSH into the router?

Hello sicher,

 

Just a note for the RV345. Аlthough it has a console port it does not support CLI/SSH and you can only access and configure the router through the web GUI. You could enable the Syslog/remote Syslog server and gather the logs after you factory reset the router. Then you can share.

 

Regards,

Martin 

Thank you!

 

Please see the two attached logs. One with the NAT rule enabled one without.

Hi sicher,

 

Can you try to disable the firewall on the router? With the firewall enabled you would need to set the firewall access rules as shown in the following guide: https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/Configuring_DMZ_on_the_RV34x_Series_Router.html 

 

Regards,

Martin

It's ridiculous. After rebooting the router again no access from WAN to mailserver. Had to reboot the DiskStation too just to make it accessible again.