[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1907
  • Last Modified:

Can ping but can't telnet across tunnel

have 2 sites connected via vpn, all part of same AD forest, having issue with mail flow between exchange servers, so i try to telnet from each exchange server to the other on port 25 and it doesn't work, but they each can ping, so i try from the routers which are both cisco 2821, same thing can't telnet from the opposite router across tunnel on 25, but each router can telnet on 25 to its own site exchange server.  i can't see anything that would be preventing, hoping maybe you guys notice something, attached are the configs
courthouse-scrub.txt
resource-scrub.txt
0
jasonmichel
Asked:
jasonmichel
  • 8
  • 4
  • 3
  • +3
5 Solutions
 
ThorinOCommented:
Sounds like a firewall issue, are you able to telnet to other known open ports? Have you checked the Windows firewall?
0
 
jasonmichelAuthor Commented:
i can telnet into the machines just fine from their own location and from outside, just not across the tunnel
0
 
ThorinOCommented:
Can you telnet to any other ports across the VPN. I am not familiar with Cisco VPN configs but with a SonicWALL it generally acts like a LAN. However you could have another zone created that has some firewall rules in place.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
jasonmichelAuthor Commented:
just a simple ipsec tunnel protected with ACLS
0
 
Marius GunnerudSenior Systems EngineerCommented:
what are the ip addresses of the exchange servers? and please specify which ip belongs to the main office and which belongs to the remote.
0
 
jasonmichelAuthor Commented:
10.15.31.15- main
10.15.100.12- remote
0
 
profgeekCommented:
0
 
Marius GunnerudSenior Systems EngineerCommented:
you are not permitting the traffic for smtp to  10.15.31.15 and 10.15.100.12 in your nospam access-list and this access list is configured on almost all your interfaces except a couple exceptions.

Which interface connects to the remote office?

Try adding those two to the access-list nospam and test.
0
 
jasonmichelAuthor Commented:
the two interfaces don't have that applied, on the remote site it is  gig0/1.100
and on the main site gig0/1.31
0
 
RPPreacherCommented:
You need to allow port 25 inbound on Windows Server firewall from the remote ip range.
0
 
jasonmichelAuthor Commented:
the firewall is turned off, i can telnet on 25 from outside and from any pc on its own lan, just not from one side to the other
0
 
RPPreacherCommented:
That is usually a Windows firewall issue.  Especially since ping works.  Which version of Windows server are you using?
0
 
John Gates, CISSPSecurity ProfessionalCommented:
Some kind of firewall must be blocking the ports.  The routing is working as you are able to ICMP Ping and get a response...  If you have no firewalls in place between the two servers then it is time to look at the SMTP configuration and see if you have access restricted there.  Are you restricting access to SMTP by only having your local internal subnet listed?

-D-
0
 
jasonmichelAuthor Commented:
both are server 2008, and are you talking on the smtp recieve connector?
0
 
RPPreacherCommented:
2008 has an inbound & outbound firewall in Windows. Did you open 25 on both?
0
 
jasonmichelAuthor Commented:
the servers are sending mail to the outside fine?  so i assume they are open?
0
 
RPPreacherCommented:
Two different firewalls. Inbound & outbound
0
 
John Gates, CISSPSecurity ProfessionalCommented:
I would start looking at the smtp config.  Here's why:  You can ping so you know routing is not the problem.  You are pretty much ruling out the firewall yourself...  So SMTP has to be dropping the connection due to a setting on the SMTP configuration...  Just for grins add the IP range of the remote subnet to the allowed connections SMTP configuration setting.

-D-
0
 
jasonmichelAuthor Commented:
you are talking on the recieve connector of each?
0
 
John Gates, CISSPSecurity ProfessionalCommented:
Yes.  There has to be a restriction that is preventing that connection from occurring.  If you do not have any incoming restrictions set up then The SMTP logs are going to be the next place to look to see why the disconnection is occurring.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 8
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now