Cisco forward SMTP traffic.

Slinwagh · 5 May 2007 at 22:15

I am trying to allow SMTP traffic via my router, a Cisco 857w.

I have issued the following command:

ip nat inside source static tcp 10.10.10.254 25 x.x.x.x 25

Is that the correct command and if so why is no mail getting through to my server, all the MX records and DNS info is correct, so it is absolutely a router issue.

What am I missing?

Thanks in advance.

growse · 5 May 2007 at 22:49

Have you tried debugging nat? Showing the nat translations table while an external client is connected? Are you firewalling it off on an access list?

wasc · 5 May 2007 at 22:51

I would test the port through telnet from an external location (so if your server and cisco router is at work, do the test from home)

To test through telnet, from a PC go to start -> run -> cmd

At the command prompt type;

telnet <name or IP> 25 (where <name or IP> is the IP of your cisco's wan interface)

So as an example;

telnet smtp.eclipse.net.uk 25

basically see if you get a response or not.

PCZ · 5 May 2007 at 23:08

ip nat inside source static tcp 10.10.10.254 25 interface Dialer1 25

Replace Dialer 1 with whatever your Wan interface is called.
It's better to specify the interface rather than the outside ip.

Another thing to check is that your mail server is open on port 25.
Some AV programs close port 25.
Can you telnet on port 25 into the mail server from another PC on your lan ?

Also some providers block port 25 traffic.

Downie · 6 May 2007 at 09:10

As already mentioned, first thing to check is your server is actually listening on port 25 (telnet on LAN).

Assuming you have an ACL on the outside interface (Dialer0), check the hits are increasing on your 'allow SMTP from any' line. Make sure the destinatio is either 'any' or the IP address of Dialer0.

Once you get this working, get CBAC configured on the outside interface. If you tell it to inspect SMTP commands, it will provide a decent amount of protection against attacks.

Cisco CBAC for SMTP

Slinwagh · 6 May 2007 at 11:51

I can telnet locally on port 25 no problem.

So far I have issued the following commands:

ip nat inside source static tcp 10.10.10.254 25 interface Dialer1 25

access-list 101 permit tcp any host 10.10.10.254 eq smtp

I have checked the running config and the above commands are present.

I still can't connect from an external source, I have issued the debug ip nat command and when i view the log I see nothing at all trying to access 10.10.10.254

oddjob62 · 6 May 2007 at 12:07

EDIT: Just saw the line in question

oddjob62 · 6 May 2007 at 12:10

Slinwagh said:
access-list 101 permit tcp any host 10.10.10.254 eq smtp

Don't know 100% about routers, but i know with PIXs NAT is performed AFTER access-list processing, ie instead of "host 10.10.10.254" it needs to be "interface Dialer 1" in other words, the PRE-NAT IP address

Slinwagh · 6 May 2007 at 12:19

All sorted !!

Using the SDM I moved the access list rule I created above all of the deny rules.

When I had manually entered the command via the CLI it was just at the bottom of the list of rules.

Hope that makes sense, it working anyway!

oddjob62 · 6 May 2007 at 12:21

Slinwagh said:
All sorted !!

Using the SDM I moved the access list rule I created above all of the deny rules.

When I had manually entered the command via the CLI it was just at the bottom of the list of rules.

Hope that makes sense, it working anyway!

Pshhh rookie mistake

Good to hear it's working.