01-16-2008 12:28 PM - edited 03-03-2019 08:17 PM
For some reason I cannot make connections to IMAP4, IMAP, or IMAPSSL from outside the Firewall. SMTP, HTTP, etc. portmappings/ACLs are working fine.
I have the appropriate portmappings in place and have the acl allowed. The internal IMAP server is 10.1.3.102. When I do a
show ip nat trans I get:
tcp 69.x.x.242:993 10.1.3.102:993 70.2.11.232:37481 70.2.11.232:37481
So I know the connection is getting made. Please help if you have the slightest bit of advice.
01-16-2008 01:01 PM
Nothing glaring as to what's the problem in your config.
Couple of questions, 1) Can you remove the ACL as a troubleshooting step from the external interface and see if you can get an IMAP session ? If so, we need to examine the ACL a lot further.
2) I noticed in your outgoing ACL you have a permit ip any any. What's the point of having the ACL at all ?
___
Edison.
01-16-2008 01:23 PM
I greatly appreciate your response. I can remove it this evening after everyone is gone from the office.
I thought someone would catch that. :) Our Director previously had a SonicWall FW that had very simple firewall settings. The VPN/FW would hang up nearly every week and I got tired of resetting it. I insisted that we get a small Cisco 1841 to replace it.
I used many of these at my previous company and touted their ease and stability. Well, same thing was occuring on the outgoing. SMTP was being blocked some kind of way going out for 10.1.3.102 and 10.1.3.104. So - I had to allow all to get it working. I figured I would tweak it later... but now this is happening as well.
I feel kind of stupid now because I convinced my supervisor to order this 1841 and now I can't get something so easy to work.
I will remove it this evening and let you know.
Thanks!
01-16-2008 01:32 PM
If the ACL removal (and please keep in mind, this is temporary) doesn't do it, then perhaps the NAT need some tweaking.
I suggest changing the interface fastethernet0/1 portion and enter the ip address of the interface instead on the static nat statement. With the ip address, you have the option to use extendable after entering the dst tcp port.
01-16-2008 10:11 PM
Removed it and everything was fine. I am at a loss. I can try to change to ip instead of interface tomorrow at lunch. Any other suggestions? Thanks in advance.
Note: that document was what I used to configure the last 3 NATs on a few routers.
01-17-2008 06:11 AM
You removed the ACL and everything worked as expected ? If so, the problem is with the ACL and not NAT.
__
Edison.
01-17-2008 12:29 PM
Isn't my ACL fairly simple and straight forward? Can anyone see what's going on here? It have hammered this for days and cannot seem to find the flaw here.
01-17-2008 01:01 PM
You still have not answer my question. When you removed the ACL, were you able to connect via IMAP ? Perhaps you have to add udp in addition to tcp for those ports.
01-17-2008 01:43 PM
Ok - this is wierd. I removed ip access-group INBOUND in from int f0/1 and when I used http://www.yougetsignal.com/openPortsTool/
to check 993, 143, and 220 it showed closed. But, when I checked 80, 25, and 3389 they still showed opened.
So no, the ports do not open (only for these few) when I removed the ACL from that interface.
PS - UDP any x.102 was already opened. I went ahead and added udp for each of the servers on incoming. Still no go.
Keep in mind - there are no other firewalls here and I am able to telnet, , smtp, imap, etc into the 10.1.3.102 server from within the lan just fine.
01-18-2008 11:12 AM
Any recommendations? I about to have to send this router back over this. We have email client/smart phones that are not able to make a connection now. Please help.
01-18-2008 11:50 AM
Use the ip address and extendable in the NAT statement as I recommended before.
01-18-2008 02:13 PM
ip nat inside source static tcp 10.1.3.102 143 69.x.x.242 143 extendable
ip nat inside source static tcp 10.1.3.102 585 69.x.x.242 585 extendable
ip nat inside source static tcp 10.1.3.102 993 69.x.x.242 993 extendable
Still showing closed. Tested and no connection made. Anything else?
Thanks
01-18-2008 04:34 PM
Please post the output from typing show ip nat translation along with the new config.
01-22-2008 02:16 PM
Here is the show ip nat trans:
Pro Inside global Inside local Outside local Outside global
tcp 69.x.x.242:80 10.1.3.2:80 64.90.2.238:4422 64.90.2.238:4422
tcp 69.x.x.242:80 10.1.3.2:80 68.213.162.98:10789 68.213.162.98:1078
9
tcp 69.x.x.242:80 10.1.3.2:80 208.14.229.1:48817 208.14.229.1:48817
tcp 69.x.x.242:80 10.1.3.2:80 208.99.195.54:54556 208.99.195.54:5455
6
tcp 69.x.x.242:80 10.1.3.2:80 208.99.195.54:65173 208.99.195.54:6517
3
tcp 69.x.x.242:80 10.1.3.2:80 --- ---
tcp 69.x.x.242:88 10.1.3.6:88 --- ---
udp 69.x.x.242:1034 10.1.3.6:1034 10.2.3.6:161 10.2.3.6:161
udp 69.x.x.242:1034 10.1.3.6:1034 10.2.3.7:161 10.2.3.7:161
tcp 69.x.x.242:1494 10.1.3.6:1494 24.254.61.213:4302 24.254.61.213:4302
tcp 69.x.x.242:1494 10.1.3.6:1494 68.225.103.142:55345 68.225.103.142:55
345
tcp 69.x.x.242:1494 10.1.3.6:1494 68.227.73.226:1627 68.227.73.226:1627
tcp 69.x.x.242:1494 10.1.3.6:1494 69.2.38.8:8286 69.2.38.8:8286
tcp 69.x.x.242:1494 10.1.3.6:1494 69.152.242.186:1054 69.152.242.186:105
4
tcp 69.x.x.242:1494 10.1.3.6:1494 72.150.38.69:50853 72.150.38.69:50853
tcp 69.x.x.242:1494 10.1.3.6:1494 --- ---
tcp 69.x.x.242:2716 10.1.3.8:2716 64.86.106.99:21 64.86.106.99:21
tcp 69.x.x.242:3058 10.1.3.16:3058 66.245.187.32:80 66.245.187.32:80
tcp 69.x.x.242:3062 10.1.3.16:3062 70.183.191.121:80 70.183.191.121:80
tcp 69.x.x.242:4314 10.1.3.16:4314 206.51.26.33:3101 206.51.26.33:3101
tcp 69.x.x.242:1648 10.1.3.19:1648 205.128.92.124:80 205.128.92.124:80
tcp 69.x.x.242:49255 10.1.3.40:49255 168.98.65.51:25 168.98.65.51:25
tcp 69.x.x.242:443 10.1.3.52:443 --- ---
tcp 69.x.x.242:143 10.1.3.102:143 --- ---
tcp 69.x.x.242:585 10.1.3.102:585 --- ---
tcp 69.x.x.242:993 10.1.3.102:993 --- ---
tcp 69.x.x.242:2000 10.1.3.127:2000 209.8.115.135:80 209.8.115.135:80
tcp 69.x.x.242:2106 10.1.3.127:2106 77.242.193.133:80 77.242.193.133:80
of course there are thousands of others because everything else is working for 80, 1491 (Citrix ICA), etc. I just thought I would snap the area of the PAT reservations that show the '---' area.
Here is the current running config:
Again, thank you so much for your assistance. Without your dedicated help -- I would be lost!
01-22-2008 03:28 PM
tcp 69.x.x.242:143 10.1.3.102:143 --- ---
tcp 69.x.x.242:585 10.1.3.102:585 --- ---
tcp 69.x.x.242:993 10.1.3.102:993 --- ---
The NAT output looks correct. Can you verify the device 10.1.3.102 has the default gateway pointing to this router?
Is it happening just with this device ?
__
Edison.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide