cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
822
Views
0
Helpful
14
Replies

ACL - Please Help?

networksavvy
Level 1
Level 1

For some reason I cannot make connections to IMAP4, IMAP, or IMAPSSL from outside the Firewall. SMTP, HTTP, etc. portmappings/ACLs are working fine.

I have the appropriate portmappings in place and have the acl allowed. The internal IMAP server is 10.1.3.102. When I do a

show ip nat trans I get:

tcp 69.x.x.242:993 10.1.3.102:993 70.2.11.232:37481 70.2.11.232:37481

So I know the connection is getting made. Please help if you have the slightest bit of advice.

14 Replies 14

Edison Ortiz
Hall of Fame
Hall of Fame

Nothing glaring as to what's the problem in your config.

Couple of questions, 1) Can you remove the ACL as a troubleshooting step from the external interface and see if you can get an IMAP session ? If so, we need to examine the ACL a lot further.

2) I noticed in your outgoing ACL you have a permit ip any any. What's the point of having the ACL at all ?

___

Edison.

I greatly appreciate your response. I can remove it this evening after everyone is gone from the office.

I thought someone would catch that. :) Our Director previously had a SonicWall FW that had very simple firewall settings. The VPN/FW would hang up nearly every week and I got tired of resetting it. I insisted that we get a small Cisco 1841 to replace it.

I used many of these at my previous company and touted their ease and stability. Well, same thing was occuring on the outgoing. SMTP was being blocked some kind of way going out for 10.1.3.102 and 10.1.3.104. So - I had to allow all to get it working. I figured I would tweak it later... but now this is happening as well.

I feel kind of stupid now because I convinced my supervisor to order this 1841 and now I can't get something so easy to work.

I will remove it this evening and let you know.

Thanks!

If the ACL removal (and please keep in mind, this is temporary) doesn't do it, then perhaps the NAT need some tweaking.

I suggest changing the interface fastethernet0/1 portion and enter the ip address of the interface instead on the static nat statement. With the ip address, you have the option to use extendable after entering the dst tcp port.

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

Removed it and everything was fine. I am at a loss. I can try to change to ip instead of interface tomorrow at lunch. Any other suggestions? Thanks in advance.

Note: that document was what I used to configure the last 3 NATs on a few routers.

You removed the ACL and everything worked as expected ? If so, the problem is with the ACL and not NAT.

__

Edison.

Isn't my ACL fairly simple and straight forward? Can anyone see what's going on here? It have hammered this for days and cannot seem to find the flaw here.

You still have not answer my question. When you removed the ACL, were you able to connect via IMAP ? Perhaps you have to add udp in addition to tcp for those ports.

Ok - this is wierd. I removed ip access-group INBOUND in from int f0/1 and when I used http://www.yougetsignal.com/openPortsTool/

to check 993, 143, and 220 it showed closed. But, when I checked 80, 25, and 3389 they still showed opened.

So no, the ports do not open (only for these few) when I removed the ACL from that interface.

PS - UDP any x.102 was already opened. I went ahead and added udp for each of the servers on incoming. Still no go.

Keep in mind - there are no other firewalls here and I am able to telnet, , smtp, imap, etc into the 10.1.3.102 server from within the lan just fine.

Any recommendations? I about to have to send this router back over this. We have email client/smart phones that are not able to make a connection now. Please help.

Use the ip address and extendable in the NAT statement as I recommended before.

ip nat inside source static tcp 10.1.3.102 143 69.x.x.242 143 extendable

ip nat inside source static tcp 10.1.3.102 585 69.x.x.242 585 extendable

ip nat inside source static tcp 10.1.3.102 993 69.x.x.242 993 extendable

Still showing closed. Tested and no connection made. Anything else?

Thanks

Please post the output from typing show ip nat translation along with the new config.

Here is the show ip nat trans:

Pro Inside global Inside local Outside local Outside global

tcp 69.x.x.242:80 10.1.3.2:80 64.90.2.238:4422 64.90.2.238:4422

tcp 69.x.x.242:80 10.1.3.2:80 68.213.162.98:10789 68.213.162.98:1078

9

tcp 69.x.x.242:80 10.1.3.2:80 208.14.229.1:48817 208.14.229.1:48817

tcp 69.x.x.242:80 10.1.3.2:80 208.99.195.54:54556 208.99.195.54:5455

6

tcp 69.x.x.242:80 10.1.3.2:80 208.99.195.54:65173 208.99.195.54:6517

3

tcp 69.x.x.242:80 10.1.3.2:80 --- ---

tcp 69.x.x.242:88 10.1.3.6:88 --- ---

udp 69.x.x.242:1034 10.1.3.6:1034 10.2.3.6:161 10.2.3.6:161

udp 69.x.x.242:1034 10.1.3.6:1034 10.2.3.7:161 10.2.3.7:161

tcp 69.x.x.242:1494 10.1.3.6:1494 24.254.61.213:4302 24.254.61.213:4302

tcp 69.x.x.242:1494 10.1.3.6:1494 68.225.103.142:55345 68.225.103.142:55

345

tcp 69.x.x.242:1494 10.1.3.6:1494 68.227.73.226:1627 68.227.73.226:1627

tcp 69.x.x.242:1494 10.1.3.6:1494 69.2.38.8:8286 69.2.38.8:8286

tcp 69.x.x.242:1494 10.1.3.6:1494 69.152.242.186:1054 69.152.242.186:105

4

tcp 69.x.x.242:1494 10.1.3.6:1494 72.150.38.69:50853 72.150.38.69:50853

tcp 69.x.x.242:1494 10.1.3.6:1494 --- ---

tcp 69.x.x.242:2716 10.1.3.8:2716 64.86.106.99:21 64.86.106.99:21

tcp 69.x.x.242:3058 10.1.3.16:3058 66.245.187.32:80 66.245.187.32:80

tcp 69.x.x.242:3062 10.1.3.16:3062 70.183.191.121:80 70.183.191.121:80

tcp 69.x.x.242:4314 10.1.3.16:4314 206.51.26.33:3101 206.51.26.33:3101

tcp 69.x.x.242:1648 10.1.3.19:1648 205.128.92.124:80 205.128.92.124:80

tcp 69.x.x.242:49255 10.1.3.40:49255 168.98.65.51:25 168.98.65.51:25

tcp 69.x.x.242:443 10.1.3.52:443 --- ---

tcp 69.x.x.242:143 10.1.3.102:143 --- ---

tcp 69.x.x.242:585 10.1.3.102:585 --- ---

tcp 69.x.x.242:993 10.1.3.102:993 --- ---

tcp 69.x.x.242:2000 10.1.3.127:2000 209.8.115.135:80 209.8.115.135:80

tcp 69.x.x.242:2106 10.1.3.127:2106 77.242.193.133:80 77.242.193.133:80

of course there are thousands of others because everything else is working for 80, 1491 (Citrix ICA), etc. I just thought I would snap the area of the PAT reservations that show the '---' area.

Here is the current running config:

Again, thank you so much for your assistance. Without your dedicated help -- I would be lost!

tcp 69.x.x.242:143 10.1.3.102:143 --- ---

tcp 69.x.x.242:585 10.1.3.102:585 --- ---

tcp 69.x.x.242:993 10.1.3.102:993 --- ---

The NAT output looks correct. Can you verify the device 10.1.3.102 has the default gateway pointing to this router?

Is it happening just with this device ?

__

Edison.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco