Help Mail Is Not Being Forwarded Via Cisco 837

[Chiper69]

Hi Everyone,
I have a Cisco 837 ADSL Router. I have it connected into our network switch which has a MS Exchange Mail Server connected to it. I have opened up SMTP on the Cisco and set rules to forward all SMTP traffic to it. However when I run an mx records test it cant connect to the Cisco it keeps saying Failed To Connect. I can’t ping the unit but I assume this is because pings are being dropped. I have enabled the basic firewall using the sdm. Please help I am new to this Cisco stuff.

I have the following
Rule Permitting TCP/IP SMTP to TCP/IP SMTP from any ip address to the ip address of my mail server.

I have the SMTP enabled under the applications part.

I have permit SMTP traffic under the default SDM Rules.

Please explain any request to me as I am not familiar with Cisco commands and only have used the SDM. At the moment our mail is bouncing so help is needed urgently.

Thanks

 

[ChrisAC]

You would need to provide the config. Without that we can't see what is causing the problem.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[Chiper69]

**************************l#sh ver***********************************************
ll#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELE
ASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
TAC Support: »

http://www.cisco.com/tac

Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 10:33 by ealyon
Image text-base: 0x800131E8, data-base: 0x80B928E0

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.3(2)XC, EARLY DEPLOYMENT RELEASE
SOFTWARE (fc1)

uptime is 6 days, 23 hours, 54 minutes
System returned to ROM by power-on
System image file is "flash:c837-k9o3y6-mz.123-2.XC.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
»

http://www.cisco.com/wwl/export/crypto/tool/s..

If you require further assistance please contact us by sending email to
export@cisco.com.

CISCO C837 (MPC857DSL) processor (revision 0x400) with 44237K/4915K bytes of mem
ory.
Processor board ID AMB08040JQ8 (619328809), with hardware revision 0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
4 FastEthernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

**************************l#sh run***********************************************
Where
mailSrvIP: Internal IP Address of Exchange Mail Server
CiscoIPLan Internal IP Address Of Cisco 837 Router
CiscoIPWan: External IP Address Of Cisco 837 Router
LanSubNet: Internal Subnet I.E 10.0.0 -> This is not what my internal subnet is just an example

l#sh run
Building configuration...

Current configuration : 5956 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname DataRemoved
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
Data Removed Secret
!
Data Removed User Name
clock timezone PCTimeZone 10
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name Data Removed
ip name-server 139.134.5.51
ip name-server 139.134.2.190
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name sdm_ins_in_100 cuseeme
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 smtp audit-trail on
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 re address 129.168.4.2
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 129.168.4.2
set peer 129.168.4.2
set transform-set SDM_TRANSFORMSET_1
match address 100
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address CiscoIPLan CiscoIPLanNetMask
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
no cdp enable
crypto map SDM_CMAP_1
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description Telstra Internet Direct ADSL
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Async1
no ip address
!
interface Dialer0
description $FW_OUTSIDE$
ip address CiscoIPWan CiscoIPWANNetmask
ip access-group 102 in
ip mtu 1452
ip nat outside
ip inspect sdm_ins_in_100 in
ip inspect DEFAULT100 out
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname Removed
ppp chap password Removed
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp mailSrvIP 25 CiscoIPWan 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit LanSubNet.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip LanSubNet.0 0.0.0.255 LanSubnet.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp host 129.168.4.2 host CiscoIPLan
access-list 101 permit esp host 129.168.4.2 host CiscoIPLan
access-list 101 permit udp host 129.168.4.2 host CiscoIPLan eq isakmp
access-list 101 permit udp host 129.168.4.2 host CiscoIPLan eq non500-isakmp
access-list 101 remark IPSec Rule
access-list 101 permit ip LanSubNet.0 0.0.0.255 LanSubNet.0 0.0.0.255
access-list 101 deny ip 165.228.218.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip LanSubNet.0 0.0.0.255 any
access-list 102 remark SMTP
access-list 102 permit tcp any host CiscoIPWan eq smtp log
access-list 102 permit icmp any host CiscoIPWan echo-reply
access-list 102 permit icmp any host CiscoIPWan time-exceeded
access-list 102 permit icmp any host CiscoIPWan unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
!
end

Thanks for your help!!!!! Im under the pump here to get this working ASAP!!!!

 

[ChrisAC]

When you try to connect inbound to your SMTP server, try doing a 'show ip nat trans' on your router to make sure that the translation is set up and also a 'show access-list 102' to see if you get a hit on the correct rule.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************