Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 953
  • Last Modified:

Cisco Config not processing internal webmail script

Cisco 1700 serries router performing NAT to an internal web server / email server.

for some reason, an webmail script, when being processed cannot find the email server which is on the same device as the script .. eg, the web host server consists of .. MS Windows 2003 / IIS / 3rd Party email server
0
chuck_v
Asked:
chuck_v
  • 4
1 Solution
 
chuck_vAuthor Commented:
sorry, did not include enough detail

ok, as per above, i have an single windows box that handles IIS / DNS / 3rd party email server

now, i am sure you guys will ask if my email server works, and yes, it does. note the following below

1) you can send an email to any hosted domain i have and i WILL receive it.
2) i can send an email to anyone on the internet via my hosted email accounts with no issues

issue,
i have a webmail script (url http://www.aais.com.au/cdosys.asp). this just sends a test email to admin@aais.com.au which resides on mail.aais.com.au (and yes, this email account works (as per above)). HOWEVER, this script cannot find the email server which is on the same box.

so to add more detail, if i use a machine (other than the server) to telnet into the SMTP server (mail.aais.com.au), i will get a response. if i telnet from the SERVER itself and do the same thing, telnet mailaais.com.au, i get cannot find server.

the questions below have been asked before (from other locations other than EE) and i have answered them.. see below

(3) When you type in http://www.aais.com.au on your internal network you hit your router http page instead of your server.
correct. unless i modify my host file. THIS has now been rectified as my cisco config script has been changed to suit this.

(2) Your DNS server points for xxx.aais.com.au at your external IP
correct .. all dns entries are external IP's

(1) You have your own DNS/WEB/Email server sitting on the internal network at 192.168.0.11
correct, all services residing on the same box .. hence all my forwards to the one box

i am for certain this is NOT a server issue. this is (from opinions) a cisco config routing issue. i have included said config below for your review and comment's where available.

--- CICSO 1700 CONFIG SCRIPT ---
interface ATM0/0
 description +++ CONNECTION TO ISP +++
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0/0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0/0
 description +++ LAN +++$ETH-LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.255.0
 ip broadcast-address 192.168.0.255
 ip access-group 100 in
 ip nat inside
 speed auto
 full-duplex
 no cdp enable
!
interface Dialer1
 description +++ Virtual Connection to ATM0/0 +++$FW_OUTSIDE$
 ip address negotiated
 ip access-group filter-inbound in
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname XXXXXXXXXXXX
 ppp chap password XXXXXXXXXXXX
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map FWD2WEBSITE interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.11 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.11 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.11 20 interface Dialer1 20
ip nat inside source static tcp 192.168.0.11 21 interface Dialer1 21
ip nat inside source static tcp 192.168.0.11 443 interface Dialer1 443
ip nat inside source static tcp 192.168.0.11 3200 interface Dialer1 3200
ip nat inside source static tcp 192.168.0.11 53 interface Dialer1 53
ip nat inside source static tcp 192.168.0.11 110 interface Dialer1 110
ip nat inside source static tcp 192.168.0.11 6080 interface Dialer1 6080
ip nat inside source static tcp 192.168.0.11 3389 interface Dialer1 3389
ip nat inside source static udp 192.168.0.11 53 interface Dialer1 53
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip access-list extended filter-inbound
 permit tcp any any eq 3389
 permit tcp any any eq ftp-data
 permit tcp any any eq ftp
 permit tcp any any eq 3200
 permit tcp any any eq pop3
 permit tcp any any eq smtp
 permit tcp any any eq 6080
 permit tcp any any eq 443
 permit tcp any any eq www
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any any established
 permit udp host 192.231.203.2 eq domain any
 permit udp host 192.231.203.3 eq domain any
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   udp any any
!
access-list 23 remark ********************
access-list 23 remark *** Local Access ONLY to Config
access-list 23 remark ********************
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 remark ********************
access-list 100 remark *** FE0/0 LAN
access-list 100 remark ********************
access-list 100 permit ip any any
access-list 102 remark ********************
access-list 102 remark *** Traffic NAT'ed
access-list 102 remark ********************
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 remark ********************
access-list 103 remark *** FWD2WEBSITE
access-list 103 remark ********************
access-list 103 permit ip 192.168.0.0 0.0.0.255 host 150.101.163.87
dialer-list 1 protocol ip permit
no cdp run
route-map FWD2WEBSITE permit 23
 match ip address 103
 set ip next-hop 192.168.0.11
--- END CONFIG ---

any help / assistance on rectifying this would be great
cheers
chuck
0
 
lrmooreCommented:
It is not a router config issue, it is a matter of packet routing and nat processing which makes it fail when an internal server tries to go to itself via the public ip which is then natted back to itself.
A packet sourced by the server 192.168.0.11 to public IP goes to the router
router looks up public IP and nat's back to 192.168.0.11
Server receives packet from itself, but is expecting ack/syn-ack from the public ip which simply cannot happen.
On the server itself only, create a hosts file entry
192.168.0.11 www.aais.com.au 
0
 
chuck_vAuthor Commented:
wow, that was simple...

i will give this a shot tonight and advise how it goes

quick question though, if i do modify the host file with the entry above, would it not effect the packet to always goto 192.4168.0.11? when it should be sending out to the external IP address? just worried about those who send an email from say .. hotmail .. to an email address of which i maintain, will the server just keep looping trying to find mail server?

thanks Irmoore
0
 
chuck_vAuthor Commented:
didnt get a chance to update the host file.. will do it tonight .. but i dont think it help the external users (web site) as it would only look for local address .. and when say i do modify the host, the external users (web sites) would not have 192.168.0.11 as my local machine, and not theirs

also, i did telnet into 192.168.0.11 25 and i did get a response from within that machine
0
 
chuck_vAuthor Commented:
well, did the local host file thing, and it worked

odd, but ok .. cheers for that
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now