dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2748
share rss forum feed

tibook
Premium
join:2010-02-15
Chesapeake, VA

[HELP] can't connect on port 25, what am I doing wrong?

Hello,

I'm having trouble getting smtp to work. a port scan returns nothing on 25, I only get a connection on 443. I tried keeping the config basic since I'm new at cisco, but I can't figure the problem out...

Building configuration...
 
Current configuration : 3416 bytes
!
! Last configuration change at 15:46:07 UTC Mon Apr 5 2010
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c2901.domain.com
!
boot-start-marker
boot-end-marker
!
enable secret 5 #############
enable password f#######
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.199
!
!
ip domain name domain.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1653501590
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1653501590
 revocation-check none
 rsakeypair TP-self-signed-1653501590
!
!
crypto pki certificate chain TP-self-signed-1653501590
 certificate self-signed 01
  30820255 ... A8
  quit
license udi pid CISCO2901/K9 sn F########
!
!
username myuser privilege 15 password 0 f######
!
redundancy
!         
!
! 
!
!
!
!
!
!
interface GigabitEthernet0/0
 description cox50/5
 ip address 70.0.0.0 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/1
 description internal LAN$ES_LAN$
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
no ip nat service sip udp port 5060
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.1.2 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 10.0.1.2 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.0.1.2 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 10.0.1.2 987 interface GigabitEthernet0/0 987
ip route 0.0.0.0 0.0.0.0 70.165.74.161
!
access-list 1 permit 10.0.1.0 0.0.0.255
!
!
!
!
!
!
control-plane
 !
!
!
line con 0
 login local
line aux 0
line vty 0 4
 password f#######
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end
 

nosx

join:2004-12-27
00000
kudos:5
Is your ISP blocking inbound TCP traffic to port 25?
Are you actually connecting to the external IP from another internet host? Hairpinning traffic from inside to inside via nat doesnt work when setup like that.


kamikatze

join:2007-11-02
kudos:2

1 edit
reply to tibook
1. Don't try to connect from inside the network, Ciscos hate that really bad.

2. If it still doesn't work, check with your ISP that 25/TCP isn't filtered inbound.

3. Profit?

later edit: great minds think alike. haha.

tibook
Premium
join:2010-02-15
Chesapeake, VA
reply to tibook
I can access 443 (https, remote web workplace) from outside the office and hit the server.

Its a business service, so I would hope they wouldn't be filtering 25.

I used mxtoolbox to check my ports, thats how i know whats timing out and what is open.

Our mail is being caught by our filtering service, so its just sitting there, because it can't connect via smtp to this same server. I just don't understand why 443 works but not 25.

macallah

join:2003-01-22
Wichita Falls, TX
reply to tibook
I would test by changing your 25 to something like 30 in your config and see if 30 works. If so, I would say your ISP is blocking 25 to control spam, and work with them to stop blocking it.

tibook
Premium
join:2010-02-15
Chesapeake, VA
i changed it to

ip nat inside source static tcp 10.0.1.2 25 interface GigabitEthernet0/0 30

and got an open port. I'm on hold with CBI now. Most of the time, when I set up business accounts, there's no filtering. Every once in a while, I'll find that it is. Same thing with residential accounts. I'll report back if that was the problem...


OVERKILL

join:2010-04-05
Peterborough, ON
reply to tibook
So then the answer to your question is of course nothing

tibook
Premium
join:2010-02-15
Chesapeake, VA
I would hope so, however...

I just got off the phone with support. They claim they are not filtering the connection, even though I argued with her about it. I can telnet from a remote machine to port 30 and get the mail server banner reply, so I KNOW that the config is working properly. If I change it back to 25, it doesn't work.


OVERKILL

join:2010-04-05
Peterborough, ON
reply to tibook
Can you setup a fake network on the WAN interface to emulate the ISP side, and try to get to 25 from there? Like setup a switch with a computer with an IP that fits in your WAN subnet and try from there. Cutting the ISP out of the picture just for testing purposes? if that works, then you can call them back and tell them that it is for sure them.

tibook
Premium
join:2010-02-15
Chesapeake, VA
Thats a good suggestion, I can try that after hours...

but all indications would say that the router config is fine for this, right?


OVERKILL

join:2010-04-05
Peterborough, ON

1 edit
Looks fine to me. And the fact that it works when you switch it to 30 seems to pretty much seal the deal.....

tibook
Premium
join:2010-02-15
Chesapeake, VA
reply to tibook
Got a call back. He mumbled something about the routes not being right, so I changed my config back to 25/25 and was able to use telnet to talk to my exchange server.

Thank goodness. Its uncomfortable enough having to learn CIOS on the fly, but when a seemingly straightforward config doesn't work, it makes you lose your mind.

I have to say, I have always had good success with CBI (cox business internet), I'm surprised they had port 25,80 misrouted/blocked. Maybe its related to the fact this is a HFC DOCSIS 3 setup and its only been available for a month or so here.

Any suggestions on the next part of my config to tackle? I know I haven't started to experiment with the firewall part of the router, nor when my HWIC card comes in and I want to separate and prioritize the VoIP switch via its own interface.

nosx

join:2004-12-27
00000
kudos:5
Most important rule: Keep it simple.

Cisco is famous for allowing people to build tremendously complex messes that are ultimately unsupportable and riddled with caveats not immediately visible.
If you dont need complex firewall policies, you are almost always better off keeping it simple (permit everything out, permit established connections and natted traffic in).
The same holds true for QOS. You can build a service policy that breaks traffic into 8 buckets with 3 streams per bucket with explicit rules. There is usually no value in doing so when a far simpler config will perform the desired goal (prioritize voip, best effort everything else)
Also keep in mind that QOS is a unidirectional mechanism. Just because you prioritize voip doesnt mean the return traffic from your provider will be appropriately priority queued. If someone is downloading large files and the upstream provider interface buffers the traffic and drops voip because its not configured with a cooresponding service policy, or strips off DSCP markings entirely (most broadband providers do this) you are still going to be hurting with dropped calls or poor voice quality.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to tibook
said by tibook:

Got a call back. He mumbled something about the routes not being right, so I changed my config back to 25/25 and was able to use telnet to talk to my exchange server.
If the cause was indeed incorrect routing, then the problem should be spread out and affecting not just port 25 but all ports and services. Maybe there was something they are not telling?

said by tibook:

Thank goodness. Its uncomfortable enough having to learn CIOS on the fly, but when a seemingly straightforward config doesn't work, it makes you lose your mind.
Well, one good side of it is that you are learning something. Sometimes troubleshooting on real-live network is the best teacher.

said by tibook:

Any suggestions on the next part of my config to tackle? I know I haven't started to experiment with the firewall part of the router, nor when my HWIC card comes in and I want to separate and prioritize the VoIP switch via its own interface.
You could implement something like CBAC or ZBF for the firewall part, assuming you are utilizing the IOS the router offers. Should there be the plan, make sure the router has proper license for whatever you try to implement.

Another approach is to implement dedicated firewall for just the firewall while leave the router to just do routing and some basic NAT/PAT.

tibook
Premium
join:2010-02-15
Chesapeake, VA
I purchased a 2901 SEC so I do want to use the firewall inside the router. It should have enough horsepower to handle the connection speed along with the services.