11-18-2005 09:23 AM - edited 03-03-2019 11:00 AM
Hi,
I need help to allow outside traffic (http and imap) to my mail server. The internal ip address to the server is 192.168.1.1 and the external address is xxx.xxx.xxx.xxy
the internal address to the router is 192.168.1.254 and the external address is xxx.xxx.xxx.xyy
Attached is the current config file. I thought that I did the right thing but it is not working.
VPN, SMTP and POP3 traffic works fine.
Any idea what I need to do to make this work?
Thanks
Solved! Go to Solution.
11-21-2005 12:59 PM
Aziz
your use of xxx.xxx to obscure the addresses being used makes it a bit difficult to tell. But it looks to me like you are saying that the first address in the log message is your address on the router and the second address is the external resource that you are trying to get to. This seems a bit backwards.
In an extended access list the first address is the source address and the second address is the destination address. If access list 131 is applied inbound the first address (source) should be the external resource and the second address (destination) should be the address on your router. So my advice is to look at the access list and at the addresses being used, look at the log entry at the addresses there, and figure what is not matching as it should.
HTH
Rick
11-18-2005 10:02 AM
Aziz
My first assumption was that the problem was with the access list. I see that you have access list 131 examining inbound traffic. I see in access list permit statements for tcp www and for tcp 143. These should permit http and imap - assuming that you have the correct address for the destination. The access list has a log parameter for the deny at the end of the access list. So when someone attempts http or imap could you look in the logs and see if there are entries for that traffic. These entries should give us some understanding of what is not working as expected.
HTH
Rick
11-18-2005 08:00 PM
Thanks Rick. How can check the logs?
11-19-2005 12:28 PM
Aziz
The answer to how to check the logs depends on how your router is set up. By default the log messages go to the console. If there is a terminal connected to the console you may see the log messages there. By default the log messages also go to the log monitor. If you telent to the router, go to privilege mode, and enter the command terminal monitor, then you should see the log messages in your telnet session.
In addition to the default places there are some other logging options that you may use. If you have configured logging buffered, then you should see the log messages by using the command show log. Also if you have enabled logging to a syslog server then you may be able to see the log messages on the server.
HTH
Rick
11-21-2005 12:38 PM
Thanks
Looks like the traffic was blocked
4d02h: %SEC-6-IPACCESSLOGP: list 131 denied tcp xxx.xxx.xxx.yyy(1904) -> xxx.xxx.xxx.xxy(80), 1 packet
xxx.xxx.xxx.yyy is my external address and xx.xxx.xxx.xxy is the external address that I'm trying to access via www.
Any suggestions on what to do?
Thanks
11-21-2005 12:59 PM
Aziz
your use of xxx.xxx to obscure the addresses being used makes it a bit difficult to tell. But it looks to me like you are saying that the first address in the log message is your address on the router and the second address is the external resource that you are trying to get to. This seems a bit backwards.
In an extended access list the first address is the source address and the second address is the destination address. If access list 131 is applied inbound the first address (source) should be the external resource and the second address (destination) should be the address on your router. So my advice is to look at the access list and at the addresses being used, look at the log entry at the addresses there, and figure what is not matching as it should.
HTH
Rick
11-21-2005 01:22 PM
Sorry for the confusion but the first address is my addres on the router and the second is the external address trying to access www.
Again, sorry for hiding the addreses.
I'm not really versed in cisco routerts as you can tell.
The attached file (see first post) has the config file.
I will try to look at this again and see what is really going on.
12-02-2005 09:48 AM
Thanks Rick. The issue is solved with your help.
The problem was that the access list want not in the correct order and IMAP and WWW traffic were blocked.
So Rick suggested to move them above in the access list and that solved the problem.
Cheers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: