Cisco 3640 problem

[cenedra37]

Hi

I am asking this on behalf of my hubby who is trying to configure the above router to receive emails but is having problems. He can send emails out but can't receive inbound emails, he says that he can ping in. He is tearing his hear out at the moment, any ideas what the problem may be?

many thanks

 

[heraldstorm]

Cenedra-
Without having any details, it's hard to say. I would first estimate that this is some sort of Firewall or ACL problem. He needs to make sure that the email service port is allowed to pass traffic to the email server. He also needs to make sure that if firewalling is enabled, that the proper ports are forwarding properly (and NATting if that is being used). More detail on the configuration of the router would be great!

 

[cenedra37]

Hi Heraldstorm, thanks very much for your reply, further to your comments I can also tell you that we can ping through the 3640 to the pix firewall behind, secure shell has been set up up on the pix but ther server times out while trying to attach. a port scan shows the ports are listening but no traffic gets to the internal network or if it does get to the internal network it doesn't come back out again

 

[heraldstorm]

OK, so far I can tell you've got a setup like this:
+ WAN/Internet
|
+ Cisco 3640
|
+ Pix device
|
+ Internal LAN

The first thing you need to specify is whether the SMTP server is on a private address block or a public address block. Second, you need to specify all NAT points (Is your husband trying to NAT on the router as well as the Pix, only on the Pix, etc). Can you ping from the WAN/Internet all the way into the Internal LAN, or does it stop at the PIX outside interface?
Basically, I'm trying to isolate where the (ping) connection from the outside is blocked. From there, we can start looking at port-specific routing and firewalling.

 

[cenedra37]

hi

answers:
it's a private address block
nat on the pix
external range used for fast ethernet connection and external interface of pix, pix doing all static nat translation to internal network.
ping stops at pix

does this help?

 

[heraldstorm]

Excellent work! Now we know that the problem is at your PIX firewall, not on the Router. In your original post, you mentioned that he can send emails out, but cannot receive them. (I am assuming that you are talking about an email server not a client here. If that's not the case, disregard everything below) He needs to verify his NAT rules for his SMTP server. He'll need a state-based rule to allow this. He needs to make sure that the PIX will forward all responses to outgoing requests on port 25 to the SMTP server. To be clear, this is what's happening. You're sending email, which is sending packets to an address on the internet on port 25, and you are initiating the connection. When you are receiving email, a computer on the internet is initiating a connection to your server's port 25. The PIX needs to have a rule to forward any traffic destined to port 25 to your email server on the private LAN. Hope that helps!

 

[cenedra37]

thanks herald, thanks for all your help! I've told my husband and he says that it is an email server but that he's already got the state based rule set up as you suggested, he's therefore still at a loss to understand what's gone wrong! Never mind, you've been a great help so once again thanks

 

[KiscoKid]

Best way forward here is to post router and PIX configurations you have to date inc. the IP address of the internal mail server.