Missing something, cisco router allow port 25 email server, telnet fails externally

Think I'm just missing something basic but I have an exchange 2010 mail server, it's sitting behind a 1941 Cisco router.
Have NAT configured as static.
ip nat inside source static
where is an external address

all internal computers have internet access, email is flowing successfully.

From any internal computer on the local lan I can successfully telnet to port 25, run ehlo and get a response.
but from any external device i get a connection error when attempting to telnet.

any ideas?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
can you post the below command output here

#sh ip int br
#sh run | i nat

also, do you have any access list on the internet connected interface?

AMtekAuthor Commented:
included acl 102 that is built into the main NAT statement

Router(config)#do show ip int brief
Interface                                    IP-Address            OK?       Method       Status                            Protocol
Embedded-Service-Engine0/0             unassigned            YES       NVRAM        administratively down      down
GigabitEthernet0/0                     YES       NVRAM        up                                up
wlan-ap0                                     unassigned            YES       NVRAM        up                                up
GigabitEthernet0/1                        YES       manual       up                                up
Wlan-GigabitEthernet0/0                unassigned            YES       unset        up                                up
NVI0                                         YES       unset        up                               up
Vlan1                                        unassigned            YES       unset        up                                up

Router(config)#do show run | i nat
 ip nat outside
 ip nat inside
ip nat pool PUBLIC_NAT_IPS netmask
ip nat inside source list 102 pool PUBLIC_NAT_IPS overload
ip nat inside source static udp 123 interface GigabitEthernet0/0 123
ip nat inside source static tcp 1723 interface GigabitEthernet0/0 1723
ip nat inside source static
ip nat inside source static tcp 80 80 extendable
ip nat inside source static tcp 443 443 extendable

access-list 102 deny   ip
access-list 102 permit ip any
AMtekAuthor Commented:
no ACL applied on any interface
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
The below command should work

ip nat inside source static tcp 25 <NAT'ed IP> 25
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
and if that didn't worked, apply extendable command at the end of the line

ip nat inside source static tcp 25 <NAT'ed IP> 25 extendable
AMtekAuthor Commented:
when you say NAT'ed IP do you mean?
ip nat inside source static tcp 25 25

if is the external IP
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:

once you applied the command, you have to clear the NAT too
AMtekAuthor Commented:
didn't work, either way
port scan shows port 25 open from external but can't telnet to port 25
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
can you tell me more about your email server? is it microsoft exchange of linux?

Can you check the email server settings to allow any ip to access to the server? because few servers block the other network/ip access by default.

I am sure, the NAT statement is right
AMtekAuthor Commented:
exchange 2010
send connector has a wildcard to allow all, dropped firewall just to test.
no joy
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Lets troubleshoot in another way.  enable ip cache flow on the router both lan and wan interface and try to find that, weather we getting any response from server

ip flow ingres
ip flow egress

try to telnet port 25 from outside and run #sh ip cache flow | i <mail server ip> and paste the command output here
AMtekAuthor Commented:
lot to scrub?
i kept running the command, trying to telnet to port 25.

there was no entry of my source IP (external location attempting to telnet)??
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:

I would like to configure the below command on the cisco routers both internet connected interface as well as local lan interface

conf t
int <interface name>
ip flow ingress
ip flow egress

then run this command on the router

#sh ip cache flow | i <mail server public ip>
#sh ip cache flow | i <mail server lan ip>

AMtekAuthor Commented:
when i ping the server the mail server public ip shows a hit
#sh ip cache flow | i <mail server public ip>
Gi0/0   Local    01 00  10       4

where is external (another location) pinging the public ip of the mail server

when i attempt to telnet, nothing. not one hit

also started getting this message in the console
%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection

i can send the full output if needed of the show cache flow commands
Cisco 1941 is ISR, so, is maybe zone based firewall (ZBF) configured on router?

As LTD said :) you need to add
ip nat inside source static extendable

But if ZBF is up and running you will also have to create ACL to allow traffic from lower to higher security level.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:

can you post your router running config, or if you would like to do live troubleshooting, let me know,

I have teamviewer application installed in my computer to connect your system
AMtekAuthor Commented:
thanks, yeah i have the extendable on there, no zbf at the moment
even tried an 'any any' allow ACL on the inbound external interface just to make sure.
So... there can be ACL that blocks access on any interface from WAN to server, and also, did you check firewall on server?
Maybe currently firewall allows only private access and block access from public IPs.
AMtekAuthor Commented:
ok so here is the weird...

from almost everywhere on the planet i get a 220*****************
when trying to connect
however, i have two sites with the same ISP, same backbone, when i have siteB telnet to the external/public IP at siteA, telnet works on port 25. no site to site or vpn

could this be the ISPs router blocking?
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
have you tried port scan from internet to your not working mail server ip address?

if you can see the port is been open, then there is no issue with ISP or router, if not, then its an ISP issue

TCP Port Scan with Nmap
AMtekAuthor Commented:
port scan shows 25 open
email server is working, mail is flowing

just trying to telnet to mx lookups, it comes up with a

every command is a 500 error.

the only time it's successful is going from siteA to siteB


SiteB workstation >> SiteB Router (Cisco) >> SiteA Router (Cisco external IP) >> email server SiteA

no vpn, no site to site because it's going out the external interface at siteB then to the external interface at siteA.

telnet connects and no 220*********
ehlo works etc.
You can eliminate ISP blocking port 25 by creating nat rule
ip nat inside source static extendable
ip nat inside source static tcp 25 505 extendable
this will port forward traffic on your WAN port 505 (you can choose any other port that is not in use on WAN) to port 25

if this works - ISP is blocking traffic on port 25

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AMtekAuthor Commented:
then try telnet on port 505 correct?
AMtekAuthor Commented:
telnet worked on 505, no error.

so ISP is blocking 25, any suggestions or best practice to correct or workaround?
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
If ISP is blocking port 25, will you able to receive emails from other domains to your domain?. I believe you cant receive email from other domains.

No other choice than informing ISP to open port 25, because other domain servers try to telnet your server with port 25, before passing email to your domain
smtp port 25 is for sending mails, not receiving  :)
That's why some ISPs block port 25.
pop3 - receiving mails is on port 110 by default.
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
oops :)

over confident .. please ignore my message
AMtekAuthor Commented:
i'm able to send/receive email, had a few problems with incorrect spam detection, but mail is flowing.
changing the NAT statement as predrag jovic suggested to 505 allowed telnet right away with no issue.
ehlo worked as expected, no problems.

of course going back to 25 to allow mail to flow cuts off telnet with an error.

so i guess i'm talking to the ISP to get it resolved? only (best) choice?
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
I believe no other choice than informing ISP to unblock port 25. Because they are the one controlling your traffic to the rest of the internet world

Or, I suspect the port might be allowed on the ISP device but they have ESMTP inspection enabled. not sure about it
If your ISP blocks port 25 it is OK (you can ask ISP to unblock it), but my recommendation would be to use SSL on mail server anyway (those ports should not be blocked).
Today you don't want your users to send clear text authentication anywhere.
You can even try to send mail now... just change in advanced options of mail client configuration that smtp port is port 505.
AMtekAuthor Commented:
currently have SSL and have external users get mail via RPC over http, is there a way to use a send connector not on port 25?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.