Email via firewall / router

huckey
huckey used Ask the Experts™
on
Hi everyone,

I have a small issue relating to firewall / email servers.

I am running Win2k / ISA config via  a DLINK router with a 3com superstack II 3300 managed switch.

The routers address is

Ext = 203.92.59.x
Int = 192.168.1.254

The server has two nics installed with the following addresses.

Ext Nic = IP : 192.168.1.1
          SM : 255.255.255.0
          DG : 192.168.1.254

Int Nic = IP : 192.168.0.1
          SM : 255.255.255.0
          DG : 0.0.0.0

Clients = IP : 192.168.0.x
          SM : 255.255.255.0
          DG : 192.168.0.1
          DNS: 192.168.0.1 (1) order
               202.10.89.2 (2)
               202.10.89.3 (3)

Switch =  IP : 192.168.0.2

Now the ISA box has a protocol / packet filter setup for email.

The server can connect to internet / email via pop3 and download email successfully.

The clients can all resolve DNS see websites, run tests for pop3 connection successfully. However downloading of pop3 mail fails.

If i use DNS name or IP address on client I cannot retrieve mail from a client. I can run the outlook test connection which works OK.

I believe this is something to do with the proxy side of ISA as getting it to the ISA box is OK.

any ideas ??




Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
The easiest way I've got this setup to work is by using the firewall client software and a protocol rule. (Guessing that you are accessing external POP3 mailboxes.)

rather than go through the details I'll refer you to this doc: http://www.isaserver.org/tutorials/Making_Outlook_Express_Work_with_ISA_Server_Quick_Start_Guide.html

If for whatever reason you cannot use this setup can you provide more detail from the ISA logs - i.e what is seen in the logs when a connection is blocked?
Commented:
Do all pop3 emails fail or is it just some of them? I'm thinking that maybe its an MTU issue if its not a straightforward config issue on the firewall.

Author

Commented:
kthyboy great site, all the information you mentioned was identical to my current setup.

heres something a little interesting however.

i removed the router and plugged the ext interface into the adsl connection.

immediately everything began to work normally, i did however change the external interface to DHCP from the ADSL modem.

this would indicate my firewall is correctly configured.

however when in this option when DHCP is requesting to be renewed it cannot see the adsl modem.

I have enabled the DHCP client option on ISA and installed this hotfix. q326116

cestor, when in the previous router configuration all email behind the firewall failed. at the firewall worked fine.

however once the router was removed all worked (im picking this means firewall is ok)

and something to do with the NAT'ing on the router. perhaps ?

I can do without the router its junk anyway however without the router I cannot renew DHCP therefore making the straight connection to the ADSL modem useless.


any ideas on either option ?
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Commented:
My suggestions to resolve this would be as follows:

Use the router again & use Ethereal -  www.ethereal.com - a free packet sniffer and see if when the clients make the pop3 request the packets go both ways through the ext interface and have the correct source and destinations i.e. that natting is working properly. Move the sniffer machine down to between the router and the DSL modem and do this again. Use a small hub if necessary to allow the sniffing between the different areas.

Author

Commented:
yes im familiar with ethereal, i have already tried using SMS netmon however havent looked at the logs too closely as yet havent had time.

however with the second option of DHCP not renewing I swapped the NIC with a new one and this problem went away.

Therefore I am currently functional however I do not yet have the router back in place.

I will look through the ethereal logs later today and get back to you.
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
G'day, huckey, there has not been any activity on this question in 68 days.
Do you still need assistance, need more information, or have you solved your problem? Can you close
out this question?
Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
huckey,
No comment has been added lately (116 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: split points between KthyBoy http:#7655015 and cestor http:#7657900

Please leave any comments here within 7 days.

-- Please DO NOT accept this comment as an answer ! --

Thanks,

lrmoore
EE Cleanup Volunteer

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial