Cisco Config not processing internal webmail script

Posted on 2007-10-21
Last Modified: 2008-01-09
Cisco 1700 serries router performing NAT to an internal web server / email server.

for some reason, an webmail script, when being processed cannot find the email server which is on the same device as the script .. eg, the web host server consists of .. MS Windows 2003 / IIS / 3rd Party email server
Question by:chuck_v

    Author Comment

    sorry, did not include enough detail

    ok, as per above, i have an single windows box that handles IIS / DNS / 3rd party email server

    now, i am sure you guys will ask if my email server works, and yes, it does. note the following below

    1) you can send an email to any hosted domain i have and i WILL receive it.
    2) i can send an email to anyone on the internet via my hosted email accounts with no issues

    i have a webmail script (url this just sends a test email to which resides on (and yes, this email account works (as per above)). HOWEVER, this script cannot find the email server which is on the same box.

    so to add more detail, if i use a machine (other than the server) to telnet into the SMTP server (, i will get a response. if i telnet from the SERVER itself and do the same thing, telnet, i get cannot find server.

    the questions below have been asked before (from other locations other than EE) and i have answered them.. see below

    (3) When you type in on your internal network you hit your router http page instead of your server.
    correct. unless i modify my host file. THIS has now been rectified as my cisco config script has been changed to suit this.

    (2) Your DNS server points for at your external IP
    correct .. all dns entries are external IP's

    (1) You have your own DNS/WEB/Email server sitting on the internal network at
    correct, all services residing on the same box .. hence all my forwards to the one box

    i am for certain this is NOT a server issue. this is (from opinions) a cisco config routing issue. i have included said config below for your review and comment's where available.

    --- CICSO 1700 CONFIG SCRIPT ---
    interface ATM0/0
     description +++ CONNECTION TO ISP +++
     no ip address
     no atm ilmi-keepalive
     dsl operating-mode auto
     hold-queue 224 in
    interface ATM0/0.1 point-to-point
     pvc 8/35
      pppoe-client dial-pool-number 1
    interface FastEthernet0/0
     description +++ LAN +++$ETH-LAN$$FW_INSIDE$
     ip address
     ip broadcast-address
     ip access-group 100 in
     ip nat inside
     speed auto
     no cdp enable
    interface Dialer1
     description +++ Virtual Connection to ATM0/0 +++$FW_OUTSIDE$
     ip address negotiated
     ip access-group filter-inbound in
     ip mtu 1492
     ip nat outside
     encapsulation ppp
     dialer pool 1
     ppp authentication chap callin
     ppp chap hostname XXXXXXXXXXXX
     ppp chap password XXXXXXXXXXXX
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source route-map FWD2WEBSITE interface FastEthernet0/0 overload
    ip nat inside source static tcp 80 interface Dialer1 80
    ip nat inside source static tcp 25 interface Dialer1 25
    ip nat inside source static tcp 20 interface Dialer1 20
    ip nat inside source static tcp 21 interface Dialer1 21
    ip nat inside source static tcp 443 interface Dialer1 443
    ip nat inside source static tcp 3200 interface Dialer1 3200
    ip nat inside source static tcp 53 interface Dialer1 53
    ip nat inside source static tcp 110 interface Dialer1 110
    ip nat inside source static tcp 6080 interface Dialer1 6080
    ip nat inside source static tcp 3389 interface Dialer1 3389
    ip nat inside source static udp 53 interface Dialer1 53
    ip classless
    ip route Dialer1
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip access-list extended filter-inbound
     permit tcp any any eq 3389
     permit tcp any any eq ftp-data
     permit tcp any any eq ftp
     permit tcp any any eq 3200
     permit tcp any any eq pop3
     permit tcp any any eq smtp
     permit tcp any any eq 6080
     permit tcp any any eq 443
     permit tcp any any eq www
     permit udp any any eq domain
     permit tcp any any eq domain
     permit tcp any any established
     permit udp host eq domain any
     permit udp host eq domain any
     permit icmp any any echo-reply
     permit icmp any any time-exceeded
     permit icmp any any unreachable
     deny   ip any
     deny   ip any
     deny   ip any
     deny   ip any
     deny   ip host any
     deny   ip host any
     deny   udp any any
    access-list 23 remark ********************
    access-list 23 remark *** Local Access ONLY to Config
    access-list 23 remark ********************
    access-list 23 permit
    access-list 100 remark ********************
    access-list 100 remark *** FE0/0 LAN
    access-list 100 remark ********************
    access-list 100 permit ip any any
    access-list 102 remark ********************
    access-list 102 remark *** Traffic NAT'ed
    access-list 102 remark ********************
    access-list 102 permit ip any
    access-list 103 remark ********************
    access-list 103 remark *** FWD2WEBSITE
    access-list 103 remark ********************
    access-list 103 permit ip host
    dialer-list 1 protocol ip permit
    no cdp run
    route-map FWD2WEBSITE permit 23
     match ip address 103
     set ip next-hop
    --- END CONFIG ---

    any help / assistance on rectifying this would be great
    LVL 79

    Accepted Solution

    It is not a router config issue, it is a matter of packet routing and nat processing which makes it fail when an internal server tries to go to itself via the public ip which is then natted back to itself.
    A packet sourced by the server to public IP goes to the router
    router looks up public IP and nat's back to
    Server receives packet from itself, but is expecting ack/syn-ack from the public ip which simply cannot happen.
    On the server itself only, create a hosts file entry

    Author Comment

    wow, that was simple...

    i will give this a shot tonight and advise how it goes

    quick question though, if i do modify the host file with the entry above, would it not effect the packet to always goto 192.4168.0.11? when it should be sending out to the external IP address? just worried about those who send an email from say .. hotmail .. to an email address of which i maintain, will the server just keep looping trying to find mail server?

    thanks Irmoore

    Author Comment

    didnt get a chance to update the host file.. will do it tonight .. but i dont think it help the external users (web site) as it would only look for local address .. and when say i do modify the host, the external users (web sites) would not have as my local machine, and not theirs

    also, i did telnet into 25 and i did get a response from within that machine

    Author Comment

    well, did the local host file thing, and it worked

    odd, but ok .. cheers for that

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now