Description : connected to My ISP Router FOR INTERNET Connection. .
IP Address of this Interface : 126.96.36.199 / 255.255.255.248
2. Fast Ethernet 0 /1 :-
Description : connected to My Cisco Switch For Connect devices
IP Address of this Interface : 188.8.131.52 / 255.255.255.248.
The Access List which implemented on it : ip access-group 103 out
The IP Schema for My Company which the ISP Has assign it to me was the following :-
< First Network > :-
Which is assign only to the Interface F0/0 :-
< 184.108.40.206 ? UP TO 220.127.116.11 >
< Second Network >
Which is assign only to the Interface F0/1 :-
< 18.104.22.168 ? UP TO 22.214.171.124 > .
The Route for My traffic is < IP Route 0.0.0.0 0.0.0.0 126.96.36.199 > .
The Cable which is getting out from Interface F 0 / 1, is plugged in UNMANAGED Switch in Port 2 to connect other devices with Network 2 like My Firewall and MY CEO PC under real IP as well .
The FIREWALL Called Fortigate and its configuration as following:-
First Nic :-
IP : 188.8.131.52
SM : 255.255.255.248
GW : 184.108.40.206.
IP Address : 192.168.1.00
SM : 255.255.255.0
All the Users in My LAN Configured to use the FW as NAT , and all of them are configured with it?s as GATEWAY.
Our E-mail Server is Hosted Out side, and we are using the POP3 & SMTP to access it. We do not have exchange server at all,
POP3 : 220.127.116.11
SMTP : 18.104.22.168
There is No any Restriction at all on the Firewall to disable any traffic or stop any thing at all, and every thing is Open in the Inbound & Outbound interfaces on the Firewall.
1 PC is located not behind the firewall at all, but they are located behind the Interface F 0 / 1 .
The setting of this PC as following :-
< IP : 22.214.171.124 ? SM : 255.255.255.248 ? GW : 126.96.36.199 ? DNS : 188.8.131.52 > .
This User is reported to me that, he is unable to download his E-mails through POP3, but able to send using SMTP.
All the other users who using Firewall, able to send and receive using POP3 & SMTP without any Problem at all.
He is only the one who have this Problem.
Even if I change the IP and put any other IP from the Second Network, we found the same Problem.
The Access List as following :-
access-list 103 permit tcp any host 184.108.40.206 eq smtp.
access-list 103 permit tcp any host 220.127.116.11 eq pop3.
access-list 1 permit 18.104.22.168 0.0.0.7.
access-list 1 permit 22.214.171.124 0.0.0.7.
access-list 103 permit ip any any.
if you look to the first access list, it meaning like that :
The Router have an extended access list called 103, to permit the TCP Protocol, on Port 25 from any source to this Destination 126.96.36.199 only, as if the POP3 Server & SMTP Server is 188.8.131.52. while this is not the situation at all.
And the same but for POP3.
And I open every thing on Protocol IP From any where to any where .
1- Now, could be the Problem of this user who is using Real IP behind Interface F 0 /1 , the first access list ?
Because its only open smtp for this host only 184.108.40.206 , which is MY FIREWALL ?
Could it be ?
But in the same time, I enable or I open every thing on this access list , so I am getting confused .
2- what will happen if I wrote a special Access-list to enable only this IP like that :-
Access-list 103 permit tcp host 220.127.116.11 any eq SMTP
Access-list 103 Permit tcp host 18.104.22.168 any eq POP3.
3- or should I wrote an access-list to open the POP3 Server which is 22.214.171.124 to this user only like that :-
If the access list 103 is as you post this access list does nothing. The permit ip any any at the end with no deny statements above it is the same as not putting in a access list.
I would remove access list 103 and see what happens. I suspect you will see no difference.
Since the firewall works and a pc on the same net does not I would look at the pc configuration.
Your 2 permit statements look backwards since you indicate that your pop and smtp server are external to you. The statements you have would mean that the firewall would appear as the smtp or pop server. Of course it could be natted to another inside server but you say it is outside.
access-list 103 permit tcp any eq smtp host 126.96.36.199
access-list 103 permit tcp any eq pop3 host 188.8.131.52
These statement would allow return traffic to client from a server on the outside. Since the 184.108.40.206 address represents a client machine I assume these ports are generally random.
The above is not your issue since you have a permit ip any any after it but if plan on denying any traffic in the future you will need to revise your access list.
The sample you give in #3 is closer to correct but this would need to be applied inbound and not outbound on fa 0/1.
I really don't think your access list is your issue.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...