Solved

How to open up SMTP port on Cisco 800 series router?

Posted on 2004-03-31
8
2,512 Views
Last Modified: 2007-12-19
I have a Cisco 800 series router which at the moment for some reason is showing the SMTP port closed/shut and our ISP is unable to relay mail to the company network.  I should be able to telnet to the router from outside to the public IP address i.e. telnet x.x.x.x 25 but I cannot now for some reason.

My question is how do I open up that port on the router to accepting incoming connections for mail, presummably I need to do that on the dialer interface.  I have a NAT rule to forward to the exchange once it comes in  just need to open that port up.

Any suggestions?

Thanks in advance.

Daniel
0
Comment
Question by:tnrphantom
  • 4
  • 2
8 Comments
 
LVL 1

Expert Comment

by:Brian1
ID: 10726874
Try adding this to the access-list on your external interface:

Access-list <list#> permit tcp any host X.X.X.X eq smtp

where X.X.X.X is the IP address of your mail server, and <list#> is the access list number you are configuring.  You must be in global configuration mode to add to the list.  Access lists are what prevent and allow packets hitting your router.  If you have a deny entry in the access list that is denying the smtp packets...the above line will need to be entered into the access list before the deny line.  This is because once a packet matches a specific line in the access list, all other lines in the list are ignored.

It is useful to use the "?" command when trying to understand the different options in these access list commands.  For example if you are typing the above command but type a "?" after "permit" you will be provided with a list of available commands to follow the "permit"
0
 

Author Comment

by:tnrphantom
ID: 10726943
What does the eq stand for in teh command like also i presume instead of actually writing smtp i type '25' instead, also does it matter what number access list i put it in?

Thanks

Daniel
0
 
LVL 1

Expert Comment

by:Brian1
ID: 10727033
The eq is saying to match a specific port number, which you give with the next command "smtp", which yes means port 25.  And you dont need to type 25, you can just type "smtp".

if you don't want to specify which server on your network you want to allow the traffic to (you want to allow smtp traffic bound for all internal computers) use this command:

Access-list <list#> permit tcp any any eq smtp


Yes, it does matter which Access-list number you put it in.  You need to know which access list # is currently applied to your external interface.  This is the access list number you need to add the permit command to.  You can see which Access list is applied to your interface with the "show run" command.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Expert Comment

by:Brian1
ID: 10727046
To clarify the eq part; if you didn't have this portion in the command such as:

Access-list <list#> permit tcp any host X.X.X.X

then you would be opening all ports to packets incoming to the specified IP address.
0
 

Author Comment

by:tnrphantom
ID: 10727101
Thanks for that.

Please bear with me on this, if I could just clarify.......

I have gone into config t and entered the access list as you originally stated as access-list 110 permit tcp any host 192.168.x.x eq smtp (this address is the Surf Control Email filter, that then forwards mails to the exchange)

Now when I do a sh run I see the access list listed but above it a see other access lists and at the very top one which is access-list 101 says access-list 101 permit ip any any, which in theory must mean everything is open at the moment so why is mail still not flowing

Am I missing something? also how do i remove the access-list?

Thanks

Daniel
0
 
LVL 1

Accepted Solution

by:
Brian1 earned 125 total points
ID: 10727895
Well first of all the address 192.168.x.x is a private (internal) email address.  Email coming from the internet is going to be going to the public (external) address of your "Surf Control Email filter".  You obviously have NAT translating the public address to the private 192.168.x.x.

When you do the show run, it will show you all the access lists configured in the router.  These access lists are only utilized if they are applied to an interface.  On the show run, look for the Dialer interface, and if there is an access list applied to it you will see something like "ip access-group 101 in".  This would mean that access-list 101 is applied to the Dialer interface.

I don't know alot of the specific commands to execute all this stuff off the top of my head, so I suggesst you pick up a book on Cisco IOS, or check out the Cisco website.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This solves the problem of diagnosing why an internet connection is no longer working. It also helps identify the likely cause of the lost connection if the procedure fails to re-establish your internet connection. It helps to pinpoint the likely co…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question