Strange network problem

Anatoly Fedchik · ‎01-11-2012

Help me pls,

Clients cant connect any more to pop.gmail.com/995, at the same time from another vlan the same network, connection can be established without any problem(from Windows server). Clients can connect to other mail servers on port 995 or 587 without any problem except gmail. What can be the problem?

...

interface FastEthernet0/0

description Link to ISP

ip address 89.x.x.x 255.255.255.252

ip access-group FW in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.3

encapsulation dot1Q 3

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.7

encapsulation dot1Q 7

ip address 192.168.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface FastEthernet0/1.10

encapsulation dot1Q 10 native

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip nat inside source list 50 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.7.3 25 89.X.X.X 25 extendable

ip nat inside source static tcp 192.168.7.3 443 89.X.X.X 443 extendable

ip nat inside source static tcp 192.168.7.3 587 89.X.X.X 587 extendable

ip nat inside source static tcp 192.168.7.3 995 89.X.X.X 995 extendable

ip nat inside source static tcp 192.168.7.3 3389 89.X.X.X 7777 extendable

ip route 0.0.0.0 0.0.0.0 89.X.X.X

ip access-list extended FW

permit tcp any host 89.X.X.X eq 22

permit tcp any host 89.X.X.X established

permit udp any host 89.X.X.X eq ntp

permit tcp any host 89.X.X.X eq 587

permit udp any any gt 1024

permit tcp any host 89.X.X.X eq 7777

permit udp any host 89.X.X.X eq domain

permit tcp any host 89.X.X.X eq 995

permit tcp any host 89.X.X.X eq smtp

permit tcp any host 89.X.X.X eq 443

deny ip any any log

access-list 50 permit 192.168.10.0 0.0.0.255

access-list 50 permit 192.168.3.0 0.0.0.255

access-list 50 permit 192.168.7.0 0.0.0.255

Ton V Engelen · ‎01-11-2012

Hi,

can you test from a client if: telnet pop.gmail.com 995 works from a dos box?

I m asking this because yesterday i spend 2 hours looking for a network issue with pop.gmail.com, and in the end it turned out to be Google blocking this user account.

telnet pop.gmail.com 995 was working when i troubeshooted and futher checks did not seem point to a problem in our network.

Anatoly Fedchik · ‎01-11-2012

Hello,

I tested it.

No, It dont work. Only from the server i can connect to pop.gmail.com 995. From client it return an error(cant connect).

From the router everything is ok.

#telnet 173.194.69.108 995 /source-interface fastEthernet 0/1.3
Trying 173.194.69.108, 995 ... Open

Ton V Engelen · ‎01-11-2012

Hi, ok.

my guess the clients are in subnet 192.168.7 and in what subnet is the windows server? 192.168.3 ?

And can you check

- show ip nat statistics

- show ip nat translations

Anatoly Fedchik · ‎01-12-2012

The problem was in ESW-520 image 2.1.16. I configured unused port on the switch the same way and now everything is ok even gmail. And strange thing after I perform cold restart of the switch the problem is persistant on the previous port, but new configured port is ok. There is another image 2.1.19 and maybe new image will be ok. I'll try to upgrade the switch. Does any one knows what happens with switch's configuration after upgrade?

Ton V Engelen · ‎01-12-2012

Hi

glad you found the issue. I was thinking maybe the nat translation table got messed up.

The config should be no problem after upgrade but you should check the rel. notes to see if any command is changed (or superseded) If so, i can impact the config.

Good luck.

willymaldonado1 · ‎04-13-2012

Usually the configuration gets tranfer onto your new IOS ver.. recently I have upgraded a router end that was the case... you might get ask if you want to save the config. from the oldr ver.; however you might want to back-up your config. file..

Best regards

Willy

Starfish · ‎04-13-2012

Is your problem resolved now?

If not, go to Quality of service > advanced mode > policy binding and delete the access ports of the switch.

Restart outlook and then try, it should work.