ACL trouble - Testing connection to SMTP Server

Discussion in 'Cisco' started by K.J. 44, Sep 12, 2006.

  1. K.J. 44

    K.J. 44 Guest

    I am trying to test connection to my SMTP server and check my incoming
    ACLs but I am having trouble. My incoming on the public interface ACL
    is as follows:

    ip access-list extended filterin
    deny ip 192.168.0.0 0.0.255.255 any log-input
    deny ip 10.0.0.0 0.255.255.255 any log-input
    deny ip 172.16.0.0 0.15.255.255 any log-input
    deny ip 127.0.0.0 0.255.255.255 any log-input
    deny ip 224.0.0.0 15.255.255.255 any log-input
    deny ip host 0.0.0.0 any log-input
    deny icmp any any echo log-input
    deny tcp any any eq 23 log-input
    permit icmp any any packet-too-big
    permit icmp any any echo-reply
    permit tcp any host PUBLIC-IP eq 25 log-input
    evaluate packets
    deny ip any any log-input

    and I have a static NAT for the PUBLIC IP

    ip nat inside source static PRIVATE-IP-OF-EXCHANGE-SERVER PUBLIC-IP

    When I telnet in, I see hits on the ACL denying telnet (X matches) etc.
    However, when I telnet in:

    telnet PUBLIC-IP 25

    To test connectivity to my SMTP server, no matches hit the ACL. Does
    anyone see anything wrong? There are no other hits on ACLs (except for
    pings when i ping in or out and the implicit deny).

    And when I do a show ip nat translations, it shows the static but with
    no Protocol, or Outside ip's. Would those show up?

    Thanks.
    K.J. 44, Sep 12, 2006
    #1
    1. Advertising

  2. K.J. 44

    K.J. 44 Guest

    If an ISP is doing port 25 blocking, when I try to test getting through
    my firewall to my mail server by telnetting on port 25, will that get
    blocked too?

    I have rules to allow SMTP traffic through and was trying to test them
    with this method and I saw nothing on my ACL firewall hits. I have
    been very confused by this for several days. Then I tried to telnet
    into port 25 on a company that i used to work for where this worked
    (using a different ISP for connection) and it timed out.

    Thanks.
    K.J. 44, Sep 12, 2006
    #2
    1. Advertising

  3. K.J. 44

    Chad Mahoney Guest

    K.J. 44 wrote:
    > If an ISP is doing port 25 blocking, when I try to test getting through
    > my firewall to my mail server by telnetting on port 25, will that get
    > blocked too?
    >
    > I have rules to allow SMTP traffic through and was trying to test them
    > with this method and I saw nothing on my ACL firewall hits. I have
    > been very confused by this for several days. Then I tried to telnet
    > into port 25 on a company that i used to work for where this worked
    > (using a different ISP for connection) and it timed out.
    >
    > Thanks.


    Depends on the ISP. Most residential and even some business services
    have blocked port 25 in and outbound forcing relaying off the ISP's
    server to reduce SPAM.

    PPPoX sounds like a smaller type ISP that may wish to introduce this in
    their network, I would contact them.
    Chad Mahoney, Sep 12, 2006
    #3
  4. K.J. 44

    Chad Mahoney Guest

    K.J. 44 wrote:
    > If an ISP is doing port 25 blocking, when I try to test getting through
    > my firewall to my mail server by telnetting on port 25, will that get
    > blocked too?
    >
    > I have rules to allow SMTP traffic through and was trying to test them
    > with this method and I saw nothing on my ACL firewall hits. I have
    > been very confused by this for several days. Then I tried to telnet
    > into port 25 on a company that i used to work for where this worked
    > (using a different ISP for connection) and it timed out.
    >
    > Thanks.
    >

    I just noticed, your header info points your IP to 69.214.4.217 when I
    telnet into that IP the connection is accepted but no SMTP banner
    appears. Is 69.214.4.217 your IP?
    Chad Mahoney, Sep 12, 2006
    #4
  5. K.J. 44

    K.J. 44 Guest

    No. That is a connection from home that I am trying to telnet in.
    That's where I think the port 25 blocking is. My mail server is
    connected to a T1 at another carrier. I am trying to telnet from my
    home to the mail server at work.

    We already have our mail hosted somewhere else so customers have been
    using that. I need to test the mail server before I move the records
    over because of that.

    Thanks.

    Chad Mahoney wrote:
    > K.J. 44 wrote:
    > > If an ISP is doing port 25 blocking, when I try to test getting through
    > > my firewall to my mail server by telnetting on port 25, will that get
    > > blocked too?
    > >
    > > I have rules to allow SMTP traffic through and was trying to test them
    > > with this method and I saw nothing on my ACL firewall hits. I have
    > > been very confused by this for several days. Then I tried to telnet
    > > into port 25 on a company that i used to work for where this worked
    > > (using a different ISP for connection) and it timed out.
    > >
    > > Thanks.
    > >

    > I just noticed, your header info points your IP to 69.214.4.217 when I
    > telnet into that IP the connection is accepted but no SMTP banner
    > appears. Is 69.214.4.217 your IP?
    K.J. 44, Sep 12, 2006
    #5
  6. K.J. 44

    K.J. 44 Guest

    And sorry, I tried to remove this post when I thought of the port 25
    and so now I have two posts talking about the same thing.

    My bad.... its been one of those days.

    Chad Mahoney wrote:
    > K.J. 44 wrote:
    > > If an ISP is doing port 25 blocking, when I try to test getting through
    > > my firewall to my mail server by telnetting on port 25, will that get
    > > blocked too?
    > >
    > > I have rules to allow SMTP traffic through and was trying to test them
    > > with this method and I saw nothing on my ACL firewall hits. I have
    > > been very confused by this for several days. Then I tried to telnet
    > > into port 25 on a company that i used to work for where this worked
    > > (using a different ISP for connection) and it timed out.
    > >
    > > Thanks.
    > >

    > I just noticed, your header info points your IP to 69.214.4.217 when I
    > telnet into that IP the connection is accepted but no SMTP banner
    > appears. Is 69.214.4.217 your IP?
    K.J. 44, Sep 12, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    614
    Shad T
    Jun 29, 2004
  2. Boomer

    testing--news2004--testing

    Boomer, Sep 24, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    470
    William Poaster
    Sep 24, 2003
  3. daniel edwards

    testing testing 123

    daniel edwards, May 20, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    709
    joevan
    May 20, 2004
  4. neville

    testing testing

    neville, May 27, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    458
    neville
    May 27, 2005
  5. Vimokh
    Replies:
    3
    Views:
    5,668
    Vimokh
    Sep 6, 2006
Loading...

Share This Page