Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1272
Views
0
Helpful
4
Replies

inbound SMTP to our exchange server through a cisco 1841 rejected

ianbell
Level 1
Level 1

‎01-11-2011 08:32 AM - edited ‎03-04-2019 11:02 AM

Hello There - I am deploying a Cisco 1841 in place of our basic DSL router.

I have an ADSL WIC and FA0/0 connected to our LAN.

LAN IP ADDRESS range is 192.168.1.0/24 I have dynamic and static NAT configured.  At this point although I have ACL's configured I have NOT implemented them as yet for the following reason.  I am unable to recieve inbound SMTP traffic - now  know my MX records are correct as this all owrks happily on our basic DSL router.  I can send external emails no problem and all internal email works fine.

Below is some snap shots of my config.

iPN_Gateway#sh run | sec ip nat
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.10 25 92.***.***.*** 25 extendable
ip nat inside source static tcp 192.168.1.10 80 92.***.***.*** 80 extendable
ip nat inside source static tcp 192.168.1.10 443 92.***.***.*** 443 extendable


interface FastEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface Dialer0
description $FW_OUTSIDE$
bandwidth 8192
ip address 92.***.***.*** 255.255.255.0
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ********@*************.net
ppp chap password 7 ************************


access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit

so to help with debugging I have created the following ACL and issued the following debug

access-list 177 permit icmp any any
access-list 177 permit tcp any eq smtp any
access-list 177 permit tcp any any eq smtp

iPN_Gateway#debug ip packet 177 detail


*Jan 11 16:00:58.234: IP: tableid=0, s=192.168.1.25 (FastEthernet0/0), d=92.***.***.*** (Dialer0), routed via RIB
*Jan 11 16:00:58.234: IP: s=192.168.1.25 (FastEthernet0/0), d=92.***.***.***, len 52, rcvd 4
*Jan 11 16:00:58.234:     TCP src=63133, dst=25, seq=274291960, ack=0, win=8192 SYN
*Jan 11 16:00:58.234: IP: tableid=0, s=92.***.***.*** (local), d=192.168.1.25 (FastEthernet0/0), routed via FIB
*Jan 11 16:00:58.234: IP: s=92.***.***.*** (local), d=192.168.1.25 (FastEthernet0/0), len 40, sending
*Jan 11 16:00:58.234:     TCP src=25, dst=63133, seq=0, ack=274291961, win=0 ACK RST
iPN_Gateway#
*Jan 11 16:00:58.742: IP: tableid=0, s=192.168.1.25 (FastEthernet0/0), d=92.***.***.*** (Dialer0), routed via RIB
*Jan 11 16:00:58.742: IP: s=192.168.1.25 (FastEthernet0/0), d=92.***.***.***, len 52, rcvd 4
*Jan 11 16:00:58.742:     TCP src=63133, dst=25, seq=274291960, ack=0, win=8192 SYN
*Jan 11 16:00:58.742: IP: tableid=0, s=92.***.***.*** (local), d=192.168.1.25 (FastEthernet0/0), routed via FIB
*Jan 11 16:00:58.742: IP: s=92.***.***.*** (local), d=192.168.1.25 (FastEthernet0/0), len 40, sending
*Jan 11 16:00:58.742:     TCP src=25, dst=63133, seq=0, ack=274291961, win=0 ACK RST
iPN_Gateway#

The above debug is a telnet 92.***.***.*** 25 from an internal device on 192.168.1.25.  The telnet responds with cannot connect to host - however if I telnet 192.168.1.10 25 this is successful.

Below is the response from the exchange server when the basic DSL router is connected.

220 mail.******.co.uk Microsoft ESMTP MAIL Service ready at Tue, 11 Jan 2011 16
:09:23 +0000

Thank you in advance for any advice - I am in the process of defaulting the router and programming the barbones to get the link working and see if inbound SMTP works then start building the blocks again.

Labels:
0 Helpful
4 Replies 4

rtjensen4
Level 4
Level 4

‎01-11-2011 10:48 AM

Might sound like an obvoious quesiton, but have you tried SMTP from an internet host (not on your local LAN) to your email server? I would hazard to guess that the ACK, RST packet is being generated by the router itself, not the actual exchange server. You aren't seeing any packets are are s=192.168.1.10 in the debug, which would make me think the router is shutting down the conection. The config looks fine after a quick glance.

I'm not sure if the 1841 can do it, but you may need to look into hairpinning if you need to access the external IP (92.xx.xx.xx) from the internal LAN.

0 Helpful

ianbell
Level 1
Level 1
In response to rtjensen4

‎01-11-2011 11:10 AM

Hi rtjensen4

Yes I should have mentioed that bit.  I did try this from a host outside of my lAN also with same effect.

As I mentioned in my post earlier I have reset the router and and re-configured from scratch block by block testing every step of the way.  I now have the router all fully configured with my ACL's also applied and all is now working which is most bizarre.

The 1 main difference is the following omiisions and addition

no ip nat source static tcp 192.168.1.10 25 92.***.***.*** 25 extendable

no ip nat source static tcp 192.168.1.10 80 92.***.***.*** 80 extendable

no ip nat source static tcp 192.168.1.10 443 92.***.***.*** 443 extendable

ip nat source static tcp 192.168.1.10 92.***.***.*** - Ideally I dont want to leave this as the only statement as it effectively leaves my router open.  I really want to use the statements that I have removed.  I will try this tomorrow morning re-adding them and see if SMTP still works.

I will keep you updated.

0 Helpful

ianbell
Level 1
Level 1
In response to ianbell

‎01-31-2011 12:18 PM

Hi all,

A bit of an update - been rather busy hence the delay in replies.

I have norrowed down the issue I believe to be solely a NAT issue.  I am able to telnet to our exchange server from an external LAN.  However our inbound emails are so few and far between I have had to switch back to our basic broadband router.

I have the current additions to my config.

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.10 25 92.***.***.*** 25 extendable
ip nat inside source static tcp 192.168.1.10 80 92.***.***.*** 80 extendable
ip nat inside source static tcp 192.168.1.10 443 92.***.***.*** 443 extendable
ip nat inside source static network 192.168.1.0 92.***.***.*** /32 extendable

I am at a loss as to what this issue is other than it is definately a NAT issue.  I do have ACL's on the external interface in the inbound direction however removing the ACL I still have the problem.  I had the cisco router connected for the most part of today as initially we were getting emails in not many but enough to think all was well as the day wore on emails I was expecting did not arrive so late today i reverted back to the basic router and emails hit my inbox by the bucket load.

Any ideas would be greatly appreciated.

0 Helpful

ianbell
Level 1
Level 1

‎02-10-2011 03:32 PM

Hi

I have put this to the back burner for now.

The cheap basic DSL router I have configured the firewall and only permitted SMTP 25 traffic in bound and all email works fine.

No idea why it won't through a more expensive and intelligent Cisco router.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents