Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SMTP Mail Delivery through Router

Status
Not open for further replies.
PQDave

PQDave

Technical User
Joined
May 18, 2004
Messages
4
Location
GB
I have a Cisco 837 Broadband router which I am trying to configure to pass smtp mail through on port 25 to our internal mail server. Below is a list of the router configuration and I cannot see why the mail is not getting through. The mail server has a private ip address only and the only public ip address is on the router. Any help would be much appreciated. Thanks

Building configuration...

Current configuration : 6431 bytes
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
no logging buffered
logging console critical
enable secret 5 $1$FyBq$2e/bMUIBbkWTibw.gAetO0
!
username Router privilege 15 password 7 04480E1419245E
username CRWS_Prem privilege 15 password 7 125D5453255A0A256E247527001032125645535401080903075F
clock timezone PCTimeZone 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name username
ip name-server 158.152.1.58
ip name-server 158.152.1.43
ip dhcp excluded-address 192.168.0.100
ip dhcp excluded-address 192.168.0.50 192.168.0.254
ip dhcp excluded-address 192.168.0.150
ip dhcp excluded-address 192.168.0.50
!
ip dhcp pool sdm-pool1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.100
!
ip dhcp pool CLIENT
default-router 192.168.0.100
dns-server 158.152.1.58 158.152.1.43
lease 0 2
!
!
no ip bootp server
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$CRWS Generated text. Please do not delete this:192.168.0.100-255.255.255.0
ip address 192.168.0.100 255.255.255.0
ip access-group 100 in
ip access-group 122 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password 7 141E010E1B053E7B37
ppp pap sent-username username password 7 000D0003135A1F561C
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.50 25 interface Dialer1 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
logging trap debugging
logging 192.168.0.6
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 permit tcp any eq smtp any eq smtp
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq telnet
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 permit udp any eq domain any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 10000
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 139
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 deny ip any any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
stopbits 1
line aux 0
login local
transport output telnet
stopbits 1
line vty 0 4
exec-timeout 120 0
privilege level 15
login local
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
!
end
 
Sort by date Sort by votes
The config looks right. Have you done any extended trouble shooting? I'd change the nat entry to

ip nat inside source static 192.168.0.50 interface dialer1

Then I'd take the access lists off of both interfaces and try it again. Then you can find out wether it's in the access list/nat configuration, or if something is more fundamentally wrong.
 
Upvote 0 Downvote
Thanks for the reply. I tried the above but still no joy. Is there any way I can check where the connection is being rejected to see if it is a router configuration problem or an ISP problem?
 
Upvote 0 Downvote
From the router, telnet to the mail server on port 25 to make sure that it's open for connections. Also, do a 'sh ip nat trans *' to make sure that the NAT is in place.

On another note ... this is not good ..

interface Dialer1
ip access-group 101 in
!
access-list 101 permit tcp any any eq telnet
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any eq 139
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm

Looks like you're asking for trouble.

Chris.



**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Chris, can you let me know what is wrong with the 101 access list. I'm new to Cisco routers and so still learning how it all works!

The telnet on port 25 cannot establish a connection.

This is the result from my show ip nat (I've just changed the last segement of the ip address)

Pro Inside global Inside local Outside local Outside global
tcp 80.176.169.xxx:25 192.168.0.50:25 --- ---
udp 80.176.169.xxx:1948 192.168.0.16:1948 64.124.19.184:1948 64.124.19.184:1948

Is this correct?

Thanks

Dave
 
Upvote 0 Downvote
The NAT looks okay. My issue with your inbound access list is that you are allowing NetBIOS ports and telnet to ANY device behind your router. These are ports that are normally blocked on routers/firewall for security and so I was just wondering why you specifically permit them. Also, you don't need to allow DNS inbound unless you are hosting your own DNS server.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
320
Blackybear
Blackybear
bfordz
  • Locked
  • Question Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
355
bfordz
bfordz
steel_bender
  • Locked
  • Question Question
Allow HTTPS TCP Traffic through ASA5525
Replies
1
Views
377
Mogles49
Mogles49
Tariq Habaybeh
  • Locked
  • Question Question
Cisco 881WD-E-K9 router configuration
Replies
1
Views
380
burtsbees
burtsbees
Zia khan
  • Locked
  • Question Question
Cisco: 2811 Router
Replies
1
Views
347
CASSBusinessSystems
CASSBusinessSystems

Part and Inventory Search

Sponsor

Back
Top