Missing something, cisco router allow port 25 email server, telnet fails externally

Think I'm just missing something basic but I have an exchange 2010 mail server, it's sitting behind a 1941 Cisco router.
Have NAT configured as static.
ip nat inside source static 10.10.10.15 000.000.000.000
where 000.000.000.000 is an external address

all internal computers have internet access, email is flowing successfully.

From any internal computer on the local lan I can successfully telnet to port 25, run ehlo and get a response.
but from any external device i get a connection error when attempting to telnet.

any ideas?
AMtekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
can you post the below command output here

#sh ip int br
#sh run | i nat

also, do you have any access list on the internet connected interface?

Thanks
0
AMtekAuthor Commented:
included acl 102 that is built into the main NAT statement

Router(config)#do show ip int brief
Interface                                    IP-Address            OK?       Method       Status                            Protocol
Embedded-Service-Engine0/0             unassigned            YES       NVRAM        administratively down      down
GigabitEthernet0/0                     111.111.111.111          YES       NVRAM        up                                up
wlan-ap0                                     unassigned            YES       NVRAM        up                                up
GigabitEthernet0/1                     10.10.10.1             YES       manual       up                                up
Wlan-GigabitEthernet0/0                unassigned            YES       unset        up                                up
NVI0                                         111.111.111.111          YES       unset        up                               up
Vlan1                                        unassigned            YES       unset        up                                up

Router(config)#do show run | i nat
 ip nat outside
 ip nat inside
ip nat pool PUBLIC_NAT_IPS 111.111.111.111 111.111.111.112 netmask 255.255.255.248
ip nat inside source list 102 pool PUBLIC_NAT_IPS overload
ip nat inside source static udp 10.10.10.3 123 interface GigabitEthernet0/0 123
ip nat inside source static tcp 10.10.10.45 1723 interface GigabitEthernet0/0 1723
ip nat inside source static 10.10.10.15 111.111.111.110
ip nat inside source static tcp 10.10.10.17 80 111.111.111.113 80 extendable
ip nat inside source static tcp 10.10.10.17 443 111.111.111.113 443 extendable

access-list 102 deny   ip 10.10.0.0 0.0.31.255 10.20.0.0 0.0.31.255
access-list 102 permit ip 10.10.0.0 0.0.31.255 any
0
AMtekAuthor Commented:
no ACL applied on any interface
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
The below command should work

ip nat inside source static tcp 10.10.10.15 25 <NAT'ed IP> 25
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
and if that didn't worked, apply extendable command at the end of the line

ip nat inside source static tcp 10.10.10.15 25 <NAT'ed IP> 25 extendable
0
AMtekAuthor Commented:
when you say NAT'ed IP do you mean?
ip nat inside source static tcp 10.10.10.15 25 111.111.111.110 25

if 111.111.111.110 is the external IP
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
yes...

once you applied the command, you have to clear the NAT too
0
AMtekAuthor Commented:
didn't work, either way
port scan shows port 25 open from external but can't telnet to port 25
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
can you tell me more about your email server? is it microsoft exchange of linux?

Can you check the email server settings to allow any ip to access to the server? because few servers block the other network/ip access by default.

I am sure, the NAT statement is right
0
AMtekAuthor Commented:
exchange 2010
send connector has a wildcard to allow all, dropped firewall just to test.
no joy
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Lets troubleshoot in another way.  enable ip cache flow on the router both lan and wan interface and try to find that, weather we getting any response from server

ip flow ingres
ip flow egress

try to telnet port 25 from outside and run #sh ip cache flow | i <mail server ip> and paste the command output here
0
AMtekAuthor Commented:
lot to scrub?
i kept running the command, trying to telnet to port 25.

there was no entry of my source IP (external location attempting to telnet)??
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@AMtek,

I would like to configure the below command on the cisco routers both internet connected interface as well as local lan interface

conf t
int <interface name>
ip flow ingress
ip flow egress
end

then run this command on the router

#sh ip cache flow | i <mail server public ip>
#sh ip cache flow | i <mail server lan ip>

Thanks
0
AMtekAuthor Commented:
when i ping the server the mail server public ip shows a hit
#sh ip cache flow | i <mail server public ip>
Gi0/0          1.1.1.1   Local          111.111.111.110    01 00  10       4

where 1.1.1.1 is external (another location) pinging the public ip of the mail server 111.111.111.110

when i attempt to telnet, nothing. not one hit

also started getting this message in the console
%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection

i can send the full output if needed of the show cache flow commands
0
JustInCaseCommented:
Cisco 1941 is ISR, so, is maybe zone based firewall (ZBF) configured on router?

As LTD said :) you need to add
ip nat inside source static 10.10.10.15 111.111.111.110 extendable

But if ZBF is up and running you will also have to create ACL to allow traffic from lower to higher security level.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@AMtek,

can you post your router running config, or if you would like to do live troubleshooting, let me know,

I have teamviewer application installed in my computer to connect your system
0
AMtekAuthor Commented:
thanks, yeah i have the extendable on there, no zbf at the moment
even tried an 'any any' allow ACL on the inbound external interface just to make sure.
0
JustInCaseCommented:
So... there can be ACL that blocks access on any interface from WAN to server, and also, did you check firewall on server?
Maybe currently firewall allows only private access and block access from public IPs.
0
AMtekAuthor Commented:
ok so here is the weird...

from almost everywhere on the planet i get a 220*****************
when trying to connect
however, i have two sites with the same ISP, same backbone, when i have siteB telnet to the external/public IP at siteA, telnet works on port 25. no site to site or vpn

could this be the ISPs router blocking?
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
have you tried port scan from internet to your not working mail server ip address?

if you can see the port is been open, then there is no issue with ISP or router, if not, then its an ISP issue

TCP Port Scan with Nmap
0
AMtekAuthor Commented:
port scan shows 25 open
email server is working, mail is flowing

just trying to telnet to mx lookups, it comes up with a
220******************

every command is a 500 error.

the only time it's successful is going from siteA to siteB

so,

SiteB workstation >> SiteB Router (Cisco) >> SiteA Router (Cisco external IP) >> email server SiteA

no vpn, no site to site because it's going out the external interface at siteB then to the external interface at siteA.

telnet connects and no 220*********
ehlo works etc.
0
JustInCaseCommented:
You can eliminate ISP blocking port 25 by creating nat rule
remove
ip nat inside source static 10.10.10.15 111.111.111.110 extendable
create
ip nat inside source static tcp 10.10.10.15 25 111.111.111.110 505 extendable
this will port forward traffic on your WAN port 505 (you can choose any other port that is not in use on WAN) to 10.10.10.15 port 25

if this works - ISP is blocking traffic on port 25
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AMtekAuthor Commented:
then try telnet on port 505 correct?
0
JustInCaseCommented:
Yes.
0
AMtekAuthor Commented:
telnet worked on 505, no error.

so ISP is blocking 25, any suggestions or best practice to correct or workaround?
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
If ISP is blocking port 25, will you able to receive emails from other domains to your domain?. I believe you cant receive email from other domains.

No other choice than informing ISP to open port 25, because other domain servers try to telnet your server with port 25, before passing email to your domain
0
JustInCaseCommented:
smtp port 25 is for sending mails, not receiving  :)
That's why some ISPs block port 25.
pop3 - receiving mails is on port 110 by default.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
oops :)

over confident .. please ignore my message
0
AMtekAuthor Commented:
i'm able to send/receive email, had a few problems with incorrect spam detection, but mail is flowing.
changing the NAT statement as predrag jovic suggested to 505 allowed telnet right away with no issue.
ehlo worked as expected, no problems.

of course going back to 25 to allow mail to flow cuts off telnet with an error.

so i guess i'm talking to the ISP to get it resolved? only (best) choice?
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
I believe no other choice than informing ISP to unblock port 25. Because they are the one controlling your traffic to the rest of the internet world

Or, I suspect the port might be allowed on the ISP device but they have ESMTP inspection enabled. not sure about it
0
JustInCaseCommented:
If your ISP blocks port 25 it is OK (you can ask ISP to unblock it), but my recommendation would be to use SSL on mail server anyway (those ports should not be blocked).
:)
Today you don't want your users to send clear text authentication anywhere.
0
JustInCaseCommented:
You can even try to send mail now... just change in advanced options of mail client configuration that smtp port is port 505.
0
AMtekAuthor Commented:
currently have SSL and have external users get mail via RPC over http, is there a way to use a send connector not on port 25?
0
JustInCaseCommented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.