ACL - Please Help?

Unanswered Question
Jan 16th, 2008

For some reason I cannot make connections to IMAP4, IMAP, or IMAPSSL from outside the Firewall. SMTP, HTTP, etc. portmappings/ACLs are working fine.

I have the appropriate portmappings in place and have the acl allowed. The internal IMAP server is When I do a

show ip nat trans I get:

tcp 69.x.x.242:993

So I know the connection is getting made. Please help if you have the slightest bit of advice.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Wed, 01/16/2008 - 13:01

Nothing glaring as to what's the problem in your config.

Couple of questions, 1) Can you remove the ACL as a troubleshooting step from the external interface and see if you can get an IMAP session ? If so, we need to examine the ACL a lot further.

2) I noticed in your outgoing ACL you have a permit ip any any. What's the point of having the ACL at all ?



networksavvy Wed, 01/16/2008 - 13:23

I greatly appreciate your response. I can remove it this evening after everyone is gone from the office.

I thought someone would catch that. :) Our Director previously had a SonicWall FW that had very simple firewall settings. The VPN/FW would hang up nearly every week and I got tired of resetting it. I insisted that we get a small Cisco 1841 to replace it.

I used many of these at my previous company and touted their ease and stability. Well, same thing was occuring on the outgoing. SMTP was being blocked some kind of way going out for and So - I had to allow all to get it working. I figured I would tweak it later... but now this is happening as well.

I feel kind of stupid now because I convinced my supervisor to order this 1841 and now I can't get something so easy to work.

I will remove it this evening and let you know.


Edison Ortiz Wed, 01/16/2008 - 13:32

If the ACL removal (and please keep in mind, this is temporary) doesn't do it, then perhaps the NAT need some tweaking.

I suggest changing the interface fastethernet0/1 portion and enter the ip address of the interface instead on the static nat statement. With the ip address, you have the option to use extendable after entering the dst tcp port.

networksavvy Wed, 01/16/2008 - 22:11

Removed it and everything was fine. I am at a loss. I can try to change to ip instead of interface tomorrow at lunch. Any other suggestions? Thanks in advance.

Note: that document was what I used to configure the last 3 NATs on a few routers.

Edison Ortiz Thu, 01/17/2008 - 06:11

You removed the ACL and everything worked as expected ? If so, the problem is with the ACL and not NAT.



networksavvy Thu, 01/17/2008 - 12:29

Isn't my ACL fairly simple and straight forward? Can anyone see what's going on here? It have hammered this for days and cannot seem to find the flaw here.

Edison Ortiz Thu, 01/17/2008 - 13:01

You still have not answer my question. When you removed the ACL, were you able to connect via IMAP ? Perhaps you have to add udp in addition to tcp for those ports.

networksavvy Thu, 01/17/2008 - 13:43

Ok - this is wierd. I removed ip access-group INBOUND in from int f0/1 and when I used

to check 993, 143, and 220 it showed closed. But, when I checked 80, 25, and 3389 they still showed opened.

So no, the ports do not open (only for these few) when I removed the ACL from that interface.

PS - UDP any x.102 was already opened. I went ahead and added udp for each of the servers on incoming. Still no go.

Keep in mind - there are no other firewalls here and I am able to telnet, , smtp, imap, etc into the server from within the lan just fine.

networksavvy Fri, 01/18/2008 - 11:12

Any recommendations? I about to have to send this router back over this. We have email client/smart phones that are not able to make a connection now. Please help.

Edison Ortiz Fri, 01/18/2008 - 11:50

Use the ip address and extendable in the NAT statement as I recommended before.

networksavvy Fri, 01/18/2008 - 14:13

ip nat inside source static tcp 143 69.x.x.242 143 extendable

ip nat inside source static tcp 585 69.x.x.242 585 extendable

ip nat inside source static tcp 993 69.x.x.242 993 extendable

Still showing closed. Tested and no connection made. Anything else?


Edison Ortiz Fri, 01/18/2008 - 16:34

Please post the output from typing show ip nat translation along with the new config.

networksavvy Tue, 01/22/2008 - 14:16

Here is the show ip nat trans:

Pro Inside global Inside local Outside local Outside global

tcp 69.x.x.242:80

tcp 69.x.x.242:80


tcp 69.x.x.242:80

tcp 69.x.x.242:80


tcp 69.x.x.242:80


tcp 69.x.x.242:80 --- ---

tcp 69.x.x.242:88 --- ---

udp 69.x.x.242:1034

udp 69.x.x.242:1034

tcp 69.x.x.242:1494

tcp 69.x.x.242:1494


tcp 69.x.x.242:1494

tcp 69.x.x.242:1494

tcp 69.x.x.242:1494


tcp 69.x.x.242:1494

tcp 69.x.x.242:1494 --- ---

tcp 69.x.x.242:2716

tcp 69.x.x.242:3058

tcp 69.x.x.242:3062

tcp 69.x.x.242:4314

tcp 69.x.x.242:1648

tcp 69.x.x.242:49255

tcp 69.x.x.242:443 --- ---

tcp 69.x.x.242:143 --- ---

tcp 69.x.x.242:585 --- ---

tcp 69.x.x.242:993 --- ---

tcp 69.x.x.242:2000

tcp 69.x.x.242:2106

of course there are thousands of others because everything else is working for 80, 1491 (Citrix ICA), etc. I just thought I would snap the area of the PAT reservations that show the '---' area.

Here is the current running config:

Again, thank you so much for your assistance. Without your dedicated help -- I would be lost!

Edison Ortiz Tue, 01/22/2008 - 15:28

tcp 69.x.x.242:143 --- ---

tcp 69.x.x.242:585 --- ---

tcp 69.x.x.242:993 --- ---

The NAT output looks correct. Can you verify the device has the default gateway pointing to this router?

Is it happening just with this device ?




This Discussion