Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
7
Replies

Allowing HTTp and IMAP on 1700 router

Go to solution
talc88888
Level 1
Level 1

‎11-18-2005 09:23 AM - edited ‎03-03-2019 11:00 AM

Hi,

I need help to allow outside traffic (http and imap) to my mail server. The internal ip address to the server is 192.168.1.1 and the external address is xxx.xxx.xxx.xxy

the internal address to the router is 192.168.1.254 and the external address is xxx.xxx.xxx.xyy

Attached is the current config file. I thought that I did the right thing but it is not working.

VPN, SMTP and POP3 traffic works fine.

Any idea what I need to do to make this work?

Thanks

Labels:
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to talc88888

‎11-21-2005 12:59 PM

Aziz

your use of xxx.xxx to obscure the addresses being used makes it a bit difficult to tell. But it looks to me like you are saying that the first address in the log message is your address on the router and the second address is the external resource that you are trying to get to. This seems a bit backwards.

In an extended access list the first address is the source address and the second address is the destination address. If access list 131 is applied inbound the first address (source) should be the external resource and the second address (destination) should be the address on your router. So my advice is to look at the access list and at the addresses being used, look at the log entry at the addresses there, and figure what is not matching as it should.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-18-2005 10:02 AM

Aziz

My first assumption was that the problem was with the access list. I see that you have access list 131 examining inbound traffic. I see in access list permit statements for tcp www and for tcp 143. These should permit http and imap - assuming that you have the correct address for the destination. The access list has a log parameter for the deny at the end of the access list. So when someone attempts http or imap could you look in the logs and see if there are entries for that traffic. These entries should give us some understanding of what is not working as expected.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
talc88888
Level 1
Level 1
In response to Richard Burts

‎11-18-2005 08:00 PM

Thanks Rick. How can check the logs?

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to talc88888

‎11-19-2005 12:28 PM

Aziz

The answer to how to check the logs depends on how your router is set up. By default the log messages go to the console. If there is a terminal connected to the console you may see the log messages there. By default the log messages also go to the log monitor. If you telent to the router, go to privilege mode, and enter the command terminal monitor, then you should see the log messages in your telnet session.

In addition to the default places there are some other logging options that you may use. If you have configured logging buffered, then you should see the log messages by using the command show log. Also if you have enabled logging to a syslog server then you may be able to see the log messages on the server.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
talc88888
Level 1
Level 1
In response to Richard Burts

‎11-21-2005 12:38 PM

Thanks

Looks like the traffic was blocked

4d02h: %SEC-6-IPACCESSLOGP: list 131 denied tcp xxx.xxx.xxx.yyy(1904) -> xxx.xxx.xxx.xxy(80), 1 packet

xxx.xxx.xxx.yyy is my external address and xx.xxx.xxx.xxy is the external address that I'm trying to access via www.

Any suggestions on what to do?

Thanks

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to talc88888

‎11-21-2005 12:59 PM

Aziz

your use of xxx.xxx to obscure the addresses being used makes it a bit difficult to tell. But it looks to me like you are saying that the first address in the log message is your address on the router and the second address is the external resource that you are trying to get to. This seems a bit backwards.

In an extended access list the first address is the source address and the second address is the destination address. If access list 131 is applied inbound the first address (source) should be the external resource and the second address (destination) should be the address on your router. So my advice is to look at the access list and at the addresses being used, look at the log entry at the addresses there, and figure what is not matching as it should.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
talc88888
Level 1
Level 1
In response to Richard Burts

‎11-21-2005 01:22 PM

Sorry for the confusion but the first address is my addres on the router and the second is the external address trying to access www.

Again, sorry for hiding the addreses.

I'm not really versed in cisco routerts as you can tell.

The attached file (see first post) has the config file.

I will try to look at this again and see what is really going on.

0 Helpful

Go to solution
talc88888
Level 1
Level 1

‎12-02-2005 09:48 AM

Thanks Rick. The issue is solved with your help.

The problem was that the access list want not in the correct order and IMAP and WWW traffic were blocked.

So Rick suggested to move them above in the access list and that solved the problem.

Cheers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card