08-09-2012 07:21 AM - edited 03-07-2019 08:15 AM
Hello,
I have a device that connects to the wireless network (WLAN1), with static IP (192.168.1.10), but cannot send emails using several SMTP servers, like smtp.google.com. Is there anything at the router that blocks the SMTP port (25) ? I have appended the configuration of the router below:
router#sh run
Building configuration...
Current configuration : 7770 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 32768 informational
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-61071307
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-61071307
revocation-check none
rsakeypair TP-self-signed-61071307
!
!
crypto pki certificate chain TP-self-signed-61071307
certificate self-signed 01
30820240 308201A9 ….. omitted 63DED965 BF9ED7BF A567E004
quit
dot11 syslog
!
dot11 ssid WLAN1
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 0707244543084852320444659
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 195.170.0.1 195.170.2.2
update arp
!
!
ip cef
no ip bootp server
ip domain name local
ip name-server 192.168.1.254
ip name-server 4.4.4.2
ip name-server 4.4.4.6
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
ip ddns update method no-ip
HTTP
add http://xxxxxx/password%40dynupdate.no-ip.com/nic/update%3FURL.no-ip.org=<h>&myip=<a>
interval maximum 0 0 5 0
!
login block-for 30 attempts 3 within 15
login delay 3
login on-failure log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$xZ7X$IXrtcnY1U7wU32eT1inUW4jY0
!
!
archive
log config
hidekeys
path flash:config
write-memory
!
!
ip tcp selective-ack
ip tcp timestamp
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 30
!
!
ssid WLAN1
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
ip ddns update hostname URL.no-ip.org
ip ddns update no-ip
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip inspect firewall out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username xxxxxxxxx password 7 11184efc05D52101D1E
ppp ipcp dns request
ppp ipcp route default
!
interface Dialer1
no ip address
ip nbar protocol-discovery
!
interface BVI1
ip address 192.168.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.10 8080 interface Dialer0 9595
!
!
logging trap warnings
access-list 1 remark The local LAN.
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.1.254
access-list 102 deny ip any host 192.168.1.255
access-list 102 deny udp any any eq tftp log
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 2 in
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Thank you !!
08-09-2012 09:26 AM
I am on the way out the door myself....but I noticed you have an ACL on your interface, and I do not see any lines that allow smtp traffic. At the end of any ACL there is an implicit deny all.
I would take the ACL off to confirm, and if it does work, put the acl back on then modify the config to allow smtp traffic.
You have an ACL 101, but I do not see it on any interface.
Add :
access-list 102 permit tcp any any eq smtp
See:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
Good luck, let us know if that worked!
08-11-2012 02:18 AM
I added the line to the access list, but no luck. The debug shows me the below messages:
*Mar 1 09:12:00.543: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 1 09:12:00.543: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, TCP Adjust MSS(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 1 09:12:00.547: IP: tableid=0, s=192.168.1.10 (BVI1), d=192.168.1.254 (BVI1), routed via RIB
*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254 (BVI1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254 (BVI1), len 60, output feature, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254 (BVI1), len 60, rcvd 3
*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, stop process pak for forus packet
*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, enqueue feature, Firewall(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, enqueue feature, TCP Adjust MSS(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 1 09:12:00.567: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 1 09:12:00.567: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 1 09:12:00.567: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, Access List(26), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Mar 1 09:12:00.567: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
08-11-2012 05:37 AM
I would try to remove the acl on the bvi interface and remove the cbac config from the dialer and test again. If this works, put cbac back on and test. If it still works and then the problem returns after putting the acl back on the bvi, then the problem is obviously in the acl...we'll just need to find where it's at.
HTH,
John
08-11-2012 07:05 AM
I also assumed all other network related functions work, the only problem is with your email right?
I just tried to resolve smtp.google.com, it would not resolve.
No match for domain "SMTP.GOOGLE.COM".
C:\Documents and Settings\jimmy>nslookup
Default Server: cdns2.cox.net
Address: 68.105.28.12
> gmail.smtp.com
Server: cdns2.cox.net
Address: 68.105.28.12
Non-authoritative answer:
Name: gmail.smtp.com
Address: 72.215.225.9
> smtp.google.com
Server: cdns2.cox.net
Address: 68.105.28.12
*** cdns2.cox.net can't find smtp.google.com: Non-existent domain
Perhaps testing with smtp.google.com is not recommended as they use smtp.gmail.com (from what I have read this morning), I do not use that server myself.
http://support.google.com/mail/bin/answer.py?hl=en&answer=13287
C:\Documents and Settings\jimmy>ping smtp.gmail.com
Pinging gmail-smtp-msa.l.google.com [173.194.77.108] with 32 bytes of data:
Reply from 173.194.77.108: bytes=32 time=70ms TTL=47
Reply from 173.194.77.108: bytes=32 time=70ms TTL=47
Ping statistics for 173.194.77.108:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 70ms, Maximum = 70ms, Average = 70ms
Control-C
^C
C:\Documents and Settings\jimmy>ping smtp.google.com
Ping request could not find host smtp.google.com. Please check the name and try
again.
So before we say your SMTP isnt working, lets test with a known good server, which you might have already, but want to be sure. And also confirm all other network functions work (can you browse from pc)?
11-24-2014 05:41 AM
Hi All,
I have the same problem that egeorgopoulos faced.
I have tried all the things except reverse DNS because in my other mail server, there is no reverse DNS setup although its working properly.
But in this particular mail server (we have put backup server in our scenario), We have used, Router and switch only (no firewall).
But from mail server the command,
telnet smtp-gmail-in.l.google.com 25
which is not getting connected....that is the main problem due to this i am not able to send any mail towards outside domain.
When I tried to traceroute command from mail server,
traceroute -n -T -p 25 gmail-smtp-in.l.google.com
it just not go beyond the gateway of my public ip address.
CAN ANYONE HELP ME OUT....
THANKS IN ADVANCE....
08-12-2012 09:08 AM
I tried the way you mentioned, but again I couldn't send any email through the device. It's really weird, while this device was tested to other network and was able to send emails successfully. So, there should be something else with the config. Do you want any specific debug log to send you?
08-12-2012 09:29 AM
Hi,
The symptoms you've just described might not be a network/router config related issue. Try to check if your MX server has a reverse DNS entry or if it's blacklisted.
Sent from Cisco Technical Support iPhone App
08-12-2012 09:31 AM
Does all other networking function work?
Are you trying with smtp.google.com as you previously said you were? While I do not use google/gmail, smtp.google.com should never work because it does not resolve.
> smtp.google.com
Server: cdns2.cox.net
Address: 68.105.28.12
*** cdns2.cox.net can't find smtp.google.com: Non-existent domain
No specific debug yet. Temporarily, take the ACL off the bvi interface and test. Dont forget to reapply after your test. If it still does not work, its a client configuration. If it does work, issue is in your acl.
08-12-2012 10:12 AM
I tried the SMTP server you said (gmail-smtp-msa.l.google.com), but couldn't send any mails. I may have to check the configuration of the client, by trying other SMTP servers.
08-12-2012 10:33 AM
No, I just said that it appears if you are testing with smtp.google.com, that might be a bad way to test as that name does not resolve. Just want to make sure we understand each other. So first I would verify with a known good smtp server, and if that does not work (and you do have network connectivity) then temporarily disable the ACL.
You can telnet port 25 also by this:
On a DOS box try:
telnet smtp.gmail.com 25
I was able to see this ( I did connect to port 25 however ):
220 mx.google.com ESMTP nv6sm3644843pbc.42
502 5.5.1 Unrecognized command. nv6sm3644843pbc.42
502 5.5.1 Unrecognized command. nv6sm3644843pbc.42
Also you could verify your ISP is not blocking port 25, some do.
Good luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide