×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Allowing HTTp and IMAP on 1700 router

Answered Question
Nov 18th, 2005
User Badges:

Hi,

I need help to allow outside traffic (http and imap) to my mail server. The internal ip address to the server is 192.168.1.1 and the external address is xxx.xxx.xxx.xxy

the internal address to the router is 192.168.1.254 and the external address is xxx.xxx.xxx.xyy

Attached is the current config file. I thought that I did the right thing but it is not working.

VPN, SMTP and POP3 traffic works fine.

Any idea what I need to do to make this work?

Thanks





Attachment: 
Correct Answer by Richard Burts about 11 years 9 months ago

Aziz


your use of xxx.xxx to obscure the addresses being used makes it a bit difficult to tell. But it looks to me like you are saying that the first address in the log message is your address on the router and the second address is the external resource that you are trying to get to. This seems a bit backwards.


In an extended access list the first address is the source address and the second address is the destination address. If access list 131 is applied inbound the first address (source) should be the external resource and the second address (destination) should be the address on your router. So my advice is to look at the access list and at the addresses being used, look at the log entry at the addresses there, and figure what is not matching as it should.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Fri, 11/18/2005 - 10:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Aziz


My first assumption was that the problem was with the access list. I see that you have access list 131 examining inbound traffic. I see in access list permit statements for tcp www and for tcp 143. These should permit http and imap - assuming that you have the correct address for the destination. The access list has a log parameter for the deny at the end of the access list. So when someone attempts http or imap could you look in the logs and see if there are entries for that traffic. These entries should give us some understanding of what is not working as expected.


HTH


Rick

Richard Burts Sat, 11/19/2005 - 12:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Aziz


The answer to how to check the logs depends on how your router is set up. By default the log messages go to the console. If there is a terminal connected to the console you may see the log messages there. By default the log messages also go to the log monitor. If you telent to the router, go to privilege mode, and enter the command terminal monitor, then you should see the log messages in your telnet session.


In addition to the default places there are some other logging options that you may use. If you have configured logging buffered, then you should see the log messages by using the command show log. Also if you have enabled logging to a syslog server then you may be able to see the log messages on the server.


HTH


Rick

talc88888 Mon, 11/21/2005 - 12:38
User Badges:

Thanks


Looks like the traffic was blocked



4d02h: %SEC-6-IPACCESSLOGP: list 131 denied tcp xxx.xxx.xxx.yyy(1904) -> xxx.xxx.xxx.xxy(80), 1 packet


xxx.xxx.xxx.yyy is my external address and xx.xxx.xxx.xxy is the external address that I'm trying to access via www.


Any suggestions on what to do?

Thanks


Correct Answer
Richard Burts Mon, 11/21/2005 - 12:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Aziz


your use of xxx.xxx to obscure the addresses being used makes it a bit difficult to tell. But it looks to me like you are saying that the first address in the log message is your address on the router and the second address is the external resource that you are trying to get to. This seems a bit backwards.


In an extended access list the first address is the source address and the second address is the destination address. If access list 131 is applied inbound the first address (source) should be the external resource and the second address (destination) should be the address on your router. So my advice is to look at the access list and at the addresses being used, look at the log entry at the addresses there, and figure what is not matching as it should.


HTH


Rick

talc88888 Mon, 11/21/2005 - 13:22
User Badges:

Sorry for the confusion but the first address is my addres on the router and the second is the external address trying to access www.


Again, sorry for hiding the addreses.


I'm not really versed in cisco routerts as you can tell.

The attached file (see first post) has the config file.


I will try to look at this again and see what is really going on.

talc88888 Fri, 12/02/2005 - 09:48
User Badges:

Thanks Rick. The issue is solved with your help.

The problem was that the access list want not in the correct order and IMAP and WWW traffic were blocked.

So Rick suggested to move them above in the access list and that solved the problem.


Cheers

Actions

This Discussion