Cisco WAN :: 2911 - SMTP Traffic Fails When Going Out And Back In Same Router
Dec 2, 2012
We have a customer using a 2911 router with 3 x DSL WAN links.
The customer runs a building with shared office space which people rent.
Customers in the building are experiencing a problem where they cant email other tenants i.e...
One tenants exchange server tries to make a connection to another tenants server by going out to the internet and back in via the same interface.I believe this might be called "Hair Pinning"
View 4 Replies
ADVERTISEMENT
Jul 30, 2012
I have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...
1: Users on my private network to be able to access the internet (PAT them to external outside address)
2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
Email (MX) = 1.2.3.4
Public (outside) address = 1.2.3.4
Email server internal = 10.1.2.3
Internal private subnet for users = 10.0.0.0/8
View 1 Replies
View Related
Jun 10, 2012
I have following scenario - router 2911 connected to 2950 switches with about 80 vlans. How can I limit speed on each of the 79 vlans (to equal % acros all of them) and give vlan 80 lets say 30% of total bandtwith. Since I am new to QOS, can you point me to the right website or give me example.
View 4 Replies
View Related
Dec 25, 2012
Most examples of NAT translation using an ASA 8.4 are based on servers within a DMZ. In my case it's not because the mailserver also functions as an data and Active Directory server for my local domain. If tried to config the ASA for a while now and throw it in the corner for a couple of months out of frustration. Now I got some time left during christmas break I decided to start again.My purpose is to NAT SMTP / POP traffic from the internet, trough the ASA to my (inside) server. This is what I got so far. With this config I'm unable to telnet the inside server (192.168.1.10) from a remote location.
ASA Version 8.4(3)!hostname ciscoasaenable password cE8UUNd encryptedpasswd 2KFQ.2KYOU encryptednames!interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.253 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 95.*.*.218 255.255.255.248!ftp mode passiveobject network obj_anysubnet 0.0.0.0 0.0.0.0object network server1_smtphost 192.168.1.10object network server1_pop3host 192.168.1.10access-list outside_access_in extended
[code]....
I can ping 192.168.1.10 from the ASA CLI. I can Ping DNS 4.2.2.2 from the CLI (internet access). I can Telnet the server from the inside LAN, using: telnet 192.168.1.10 25.But I can't Telnet from an outside location using: Telnet 95.*.*.218 25 Because my server is on the Inside interface (diffenrent subnet) do I need an additional route?
View 5 Replies
View Related
Mar 6, 2013
I'm new to ASA's and PIX units. I've setup a few VPN's now but know next to nothing about logging on these units. I read the config guide for the PIX, but cannot figure out how to get a log of incoming SMTP traffic going on the console.Do I need to use a SYSLOG server? I can probably set one up on my laptop.
View 1 Replies
View Related
Mar 16, 2012
I use a mail filtering service that delivers mail to me via SMTP on standard port 25 on one of my 5 static external IP's. I wish to restrict this to their IP's only (they have two) and I am unsure on how to do so? As it stands now, anything on the net can talk to my mailserver and my logs are filling quickly with failed attempts as a result. Here's my setup and what I am trying to accomplish:
mail filtering service -> my public ip:25 -> internal mailserver at 10.0.10.2:25, deny everything inbound except traffic from the mail filtering service, I am thinking an ACL would fit the bill here, but unsure of how to implement. Router is an 1811 with version 15.1(4)M3 IOS. WAN is on fa0, lan is on fa1.
View 3 Replies
View Related
Aug 21, 2011
A recently added outbound rule has left my SMTP communications broken. I have since removed the rule, and had Cisco do some damage control, but it's still dropping some of the SMTP traffic. I get a number of NDR messages each day like the one below:Your message did not reach some or all of the intended recipients. Subject: RE: Christopher, Curt Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached:
[URL]
on 8/21/2011 9:49 AM
Could not deliver the message in the time limit specified. Please retry or contact your administrator.
<630.SM.Local #4.4.7>
Your message did not reach some or all of the intended recipients. Subject: RE: Christopher Curd Sent: 8/19/2011 9:38 AM The following recipient(s) could not be reached: JWillar@email.com on 8/21/2011 9:49 AM Could not deliver the message in the time limit specified. Please retry or contact your administrator. <630.SM.Local #4.4.7>
I've attached an image of my configuration (ASDM GUI). The part of the image highlighted in green are the SMTP rules. The part highlighted in yellow is another rule that I added about a month ago to block a SYN attack. This rule may be part of the problem because of the order it is in the list. Not sure, though.
I have had two Cisco techs Putty into my ASA to check things out. I think they've done all they can. I wonder at this point if it be wise to just reload the last good running-config I have prior to the Outbound rule being added.
View 13 Replies
View Related
Jul 8, 2012
Up until recently one of my sites was able to get to a postilion subnet. Then we started receiving "host unreachable" e-mails. Posting told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.
I tried a packet tracer trace with no luck: SiteB- Firewall# packet-tracer input outside tcp 11.2.2.36 12345 65.19.0.0 25.
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
[code]...
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.
View 19 Replies
View Related
Aug 7, 2011
We are using several Cisco ASA 5505 with the 8.05 OS on it. The problem is that the SMTP traffic of my ISP(Telenet) isn't passtrough the ASA, I'm using outlook 2010. Before there was also a problem with our local exchange server but I solved this by disabling ESMTP checking in the policies, but it didn't worked for my local ISP.
View 4 Replies
View Related
Nov 26, 2011
I am new to the ASA series and I am at a complete loss as to why I cannot configure this router to forward SMTP and RDP traffic to an internal host.
The packet trace tool in ASDM shows complete end-to-end connectivity for RDP but it still fails to connect from outside. This is my config file, what I need to change in order to make it work?
View 19 Replies
View Related
Jun 11, 2012
We have configured ASA 5510. We have configure Ethernet 0/0 ( Outside ) connected with ADSL line and Ethernet 0/1 ( Inside ) Local LAN. we have configured NAT and all the traffic is passing through outside interface. Now we have connected ethernet 0/3 ( leasedline ) interface with static public IP. Now we want to allow SMTP traffic to pass through from this interface.
How to configure it if we want our local lan SMTP traffic sending through new leased line ( Static Public IP ).
View 2 Replies
View Related
Apr 11, 2013
I have two site that has a copper wire ( 2 wire) connection between each router ( No Telco in between ). Now I want to use 1921 router with HWIC-4SHDSL-E card to connect these two site together. Can I use attach configuration to make the connection reference from the diagram ?
View 1 Replies
View Related
Nov 25, 2011
I have 2650XM router and 2620 Router Both routers have built in WIC T1 CSU/DSU cards
2620Router --
2620Router#sh int se0/0
Serial0/0 is down, line protocol is down
Hardware is PQUICC with Fractional T1 CSU/DSU
Description: DTE side
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
[code]....
My question is that cisco website says there are two type of cable connections for this type of config --which are --T1 CSU/DSU ConfigurationSet one CSU/DSU to clock source internal, and the other CSU/DSU to clock source line. The linecode, framing, data-coding, and timeslots must be set the same on both CSU/DSUs.Four-Wire 56k CSU/DSU Configuration For my network connection which type of config i should use??Secondly i try to connect these ports by normal crossover cable it did not work.So for this type of connection i know i need T1 cross over cable-- which has RJ 48 connections at both sides.I check cable from ebay which is RJ45 RJ48 cross over -- will this cable work in my router to router connection.
View 5 Replies
View Related
Jan 8, 2013
I would like configure two router (e.g. 1921) back to back via a 2 pin copper wire. Can I use HWIC-4SHDSL-E card to do it? What is the configuration I can use?
View 7 Replies
View Related
Apr 14, 2013
I have two site that has a copper wire (2 wire) connection between each router ( No Telco in between )Now I want to use 1921 router with HWIC-4SH DSL-E card to connect these two ste together.Can I use attach configuration to make the connection reference from the diagram?
View 2 Replies
View Related
Sep 26, 2011
I have some specific traffic that I am attempting to pull off of VLAN 310 at the router, apply a route-map that sends this specific traffic back down to the switch on VLAN 55 (and the private address) and once it hits the switch apply a route-map on that VLAN 55 interface directing the same traffic over to the 72.x.x.9 address which goes through a FAP box back up to the router on another interface.
I have attached the config information, I know this isnt the best practice way to do this however right now this is how I have to do this.When runing a trace from the net traffic stops at .2 and when running a trace from my test /30 it stops at .2 as well. I am not sure what to do at this point
[code]...
View 6 Replies
View Related
Jun 11, 2013
I have a Cisco 2911 Router and I need to split the traffic from my Lan (Gi0 / 0) by ISP1 (fa0 / 0) and that of my servers (Gi/0/0) by ISP2 (fa0 / 1). [code]My problem comes when wanting to communicate with my remote networks that reach the int Gi 0/1, because when my network to match the policy- route internet sends me all the way.
View 1 Replies
View Related
Mar 28, 2013
We recently extended our access layer using a pair of 5ks with extenders. We have a pair of 6509s at our core and they handle the intra-VLAN routing with SVIs. I recently noticed that access hosts connected to the extenders cannot pass traffic between each other if they are in different VLANs. The strange thing is these same hosts can ping devices in other VLANs as long as the other devices are not connected to the 5k environment.
For example, consider the following hosts. Each host has their gateway set to the appropriate SVI on our core.
HostA - VLAN100 - connected to 5k extender
HostB - VLAN200 - connected to 5k extender
HostC - VLAN100 - connected to 2960 off our core
HostD - VLAN200 - connected to 2960 off our core
Each host can ping each other with the exception of HostA and HostB. As for specifics, we use HSRP (no VSS) between our cores.
When I ping between hostA and hostB, I see the egress packets on either 5k1 or 5k2. I then see ingress AND egress on Core1. There are no ingress packets on 5k1 or 5k2.The egress packets from Core1 show the correct destination MAC address of the target host. The mac address table shows the mac address on po31.
View 16 Replies
View Related
Jan 13, 2012
Recently bring up a new Router connected to ISP A and the Netflow collector/server is located in different location and they are connected to ISP B. I have enabled snmp and netflow config on my router(2911) but not receiving the netflow packets are not reaching the server for due to some strange reason whereas other packets like ICMP for snmp are reaching the netflow collector.Finally,I created GRE tunnel between the two locations routers and set the route for the netflow collector/server to the tunnel other end IP. In this way the netflow traffic are reaching successfully to the server.
View 1 Replies
View Related
Nov 15, 2011
I have a 2911 router. One interface is configured external (WAN) and two interfaces are configured on separate internal private subnets. What is the configuration to allow all traffic in both directions between the two internal subnets?
View 21 Replies
View Related
Sep 23, 2011
We have a 2911 Router running 15.0(1)M4. G 0/0 is our LAN interface, and it has three subinterfacesG0/0.1 is our data LAN, and the gateway for our Windows machines. This is the interface this question concerns.G0/0.23 is a separate LAN for various equipmentG0/0.192 is another LAN for equipmentG 0/1 is connected to the internet, and has a public address.S 0/0/0 is a T1 PPP, connected to our core data centerS 0/1/0 is a backup T1 PPP, again, connected to our core data center.There are three static routes entered:ip route 0.0.0.0 0.0.0.0 10.12.1.1 100 This is the first PPPip route 0.0.0.0 0.0.0.0 10.13.1.1 200 This is the secondary PPPip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 255 It currently has a cost of 255 while i figure this one out. xxx.xxx.xxx.xxx represents the cable company gateway, which I can ping properly. I've also used "gigabitethernet 0/1" in place of the next hop ip with the same results. The public interface is properly connected, and can ping it's next hop (the cable company gateway). When I change the static route for gigabitethernet 0/1 to a cost of "0", the router can properly ping DNS names, such as google.com through the public interface.
However, devices on the data LAN cannot reach any public addresses except for the router's public interface, let alone DNS names (I am using 8.8.8.8 as my test IP). If I revert the cost back to 255, making the PPP the gateway of last resort, these devices can again connect. (they travel through the PPP to our Data center's internet)
This confuses me. If our server, on the same LAN as the router can ping the public interface (it's definitley not leaving the 2911, as latency is less than 1ms), and the router itself can ping outside addresses, what is preventing the router's public interface from passing traffic to the internet from any source other than itself? I have attached our running config in the hopes that there is something obvious I'm missing (the public ip addresses have been changed so they are not exposed). I simply want clients on our 10.23.0.0 LAN to get to the internet via the public interface of the local router, and still connect to corporate resources using the PPP links. MAS_2911#sho run
Building configuration...
Current configuration : 5666 bytes
!
! Last configuration change at 01:47:50 eastern Sat Sep 24 2011 by redacted
[Code].....
View 6 Replies
View Related
Feb 21, 2013
’m somewhat new to Cisco routers this is my first attempt at getting one to work. I work in an environment with multiple locations, most are using the Cisco Model: 2911/K9 or the Model: 2921/K9 routers running IOS Version 15.0.We just added a new small office and all I had in the way of a router was a Cisco C1841-IPBASE-M router, running IOS Version 12.4.When setting up the C1841 I kept the configuration pretty much the same as the others allowing for the differences in the OS. I can remote into the 0/0 (outside port) from over the network, I can ping to that port without fail, but I can’t send or receive traffic from the 0/1 (inside port).
View 1 Replies
View Related
Jun 13, 2011
I have a a firewall policy on a Cisco 2911 - the zone policy from OutZone>InZone basically drops everything apart from inspected traffic on the opposite direction and a few essential traffic generated externally (such as Outlook web access and E-mail exchanging). However, I seem to be getting a lot of firewall drops coming from the immediate gateway of the ADSL WAN address to the internal IP range on port 3. I get about 10 hits every 5 seconds.
Policy:
policy-map type inspect FWPol_Out-In
class type inspect CCP_PPTP
pass
class type inspect FCMAP_In-Email
pass
class type inspect FCMAP_In-OutlookWebAccess
inspect(code)
%FW-6-LOG_SUMMARY: 1 packet were dropped from IMMEDIATE WAN GATEWAY:0 => INTERNAL IP ADDRESS:3 (target:class)-(FWPair_Out-In:class-default), the immediate gateway would ping an internal IP address? Keepalive? Could this be stemming from another problem? The traffic wasn't generated internally as all InZone>OutZone is inspected.
View 1 Replies
View Related
May 8, 2012
I have configured multicast (ip pim dense-mode) on two 2911 routers that are connected by a Multilink (3Mbps) Wan connection.The configuration work fine for awhile and sometimes all day but at some point one of the Multilink interfaces stop passing multicast traffic.I perform a sh multilink 1 on the interfaces and one interfaces show the multicast packets incrementing and the other does not, it just stops.The only fix for this is to hard reboot both routers and the multicast traffic begins to flow once again.
View 3 Replies
View Related
Feb 5, 2013
I am trying to connect a Control network that can not have access to the Internet, or any other network for that matter, to my Admin network so that I can retrieve trend data about the plant that goes into a database. Right now the process is print information, hand jam into excel spreadsheet, print again, and hand jam into another excel spreadsheet on the other network. Reports are printed automatically once a day, but would like a simplified way of getting data from one network to the other without having to re-enter data several times. Current policies stipulate no USB drives connected to Control systems. Even if we could loosen that, personnel needed to transfer data is not available and going to each individual machine would take more time than current system.Now that background is laid, I have two 2911 ISR routers with EIGRP configured, each with a 4 port EHWIC card. The 3 L3 ports on the router are setup as follows: interface G0/1 to the internet, interface G0/2 to a wireless back haul, and interface G0/0 for IT network. I then have 3 VLANs setup on the EHWICs for our Admin network. We will move the IT network to a VLAN on the remaining EHWIC port and connect the two 2911's through the G0/0 interface. I am going to have one computer on my Administration network dedicated to receiving the information and have a program that will take that data and import it to a database. I need to allow only that computer to receive traffic from the Control network and I need no traffic to flow back into the Control network. In other words I will transmit data from the control network to the admin computer using one protocol (TFTP more than likely) and block any other traffic coming out of and going into the Control network.
View 1 Replies
View Related
May 7, 2012
I have configured multicast(ip pim dense-mode) on two 2911 that are connected by a Multilink( 3 Mbps) Wan connection.The configuration works fine for awhile and sometimes all day but at some point one of the Multilink interfaces stops passing multicast traffic.I perform a SH Multilink 1 on the interfaces and one show multicast packets incrementing and one does not, it just stops.The problem acts like there is a buffer that gets full and after that happens it just stops working.
View 2 Replies
View Related
Feb 17, 2011
I ran into this recently with a client of mine. When uploading files (either via FTP or through a shared drive in terminal services) from the site any files larger than 200MB or so would hang in the middle of the upload as the TCP session timed out because the traffic was cut off. I started pulling apart the config on the 2911 edge router to determine what the issue was.
I trace the issue down to this particular policy which was created by CCP: sdmappfwp2p_CCP_LOW (When this policy was removed from the wan interface the issue vanished). The default config of this policy was as follows:
policy-map sdmappfwp2p_CCP_LOW
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
I first removed the highlighted drop command from the edonkey class and reapplied the inspection policy to the WAN port and the issue remained resolved!
While this fixed the issue and I was able to block eDonkey traffic with just a simple outgoing ACL to block tcp port 4662 I find it very strange that a eDonkey inspection policy would cause such problems for eDonkey traffic. I know for sure this is the only change made on the router and I'm just scratching my head at what I've found. Is it a bug with NBAR? Mostly I'm just curious as the issue is already resolved.
View 2 Replies
View Related
Nov 25, 2012
I have a Cisco 8510msr that is connected back to back with a 7206vxr across a 155Meg connection.I receive lots of Output drops on the 7206vxr interface facing the atm switch. When I do the following command:-
kwdair9#sh atm int atm 1/0Interface ATM1/0:AAL enabled: AAL5 , Maximum VCs: 4096, Current VCCs: 27 Maximum Transmit Channels: 0Max. Datagram Size: 4528PLIM Type: SONET - 155000Kbps, TX clocking: LINECell-payload scrambling: ONsts-stream scrambling: ON797522 input, 881483 output, 203946630 IN fast, 223768062 OUT fast, 0 out dropVBR-NRT : 110288 Avail bw = 44712 <====
I only have 44megConfig. is ACTIVEkwdair9# I only get 44Meg of the available 155Meg.There is no QOS on the router and the only commands I can find that vaguely see that refer to QOS are on the ATM switch:-
atm address 47.0091.8100.0000.0007.0d87.b201.0007.0d87.b201.00atm router pnnino aesa embedded-number left-justifiednode 1 level 56 lowest redistribute atm-static?why this is acting like a DS3 link and not a 155Meg link?
View 4 Replies
View Related
Dec 4, 2011
What cable I need to connect two 2951 back to back through a HWIC-4T1/E1 card ?
View 1 Replies
View Related
Oct 19, 2012
I have 1 2611xm router and 1 2801 router. For my own lab purpose, i want to configure them back to back to support voice services. I don't know what configuration will be required at each end. in 2611xm, i have NM-2V and its also detecting the card, so i hope it will work ? also what commands i need to run on both ends .
View 1 Replies
View Related
Feb 29, 2012
Just to get this clear as having issues with a E1 link with CRC's at one.Router A,Network-Clock-Participate WIC 1,Should router B have clock participate for WIC 1? We currently have controllers set as UNFRAMED but guess we can set to NO-CRC4 both ends and telco will pass this.
View 1 Replies
View Related
Jan 7, 2013
I'm looking for instructions on how to setup and connect two RV082 routers together with a crossover cable between their WAN ports. This is to connect two separate LANS together via an ethernet connection. For staging we are setting everything up with a crossover cable in our shop. Ultimately the crossover cable will be replaced by a microwave link between the two LANS several miles apart. There will be no internet connection.
View 7 Replies
View Related
Aug 28, 2012
securing a back-toback connection using E1.The connection is between two cities, using 2x CISCO 1841 router + VWIC-1MFT-E1 interface at each city.
The E1 connections has been provided by our local telco, and they are completely private. The customer is a bank, and they asking me if this is a secure connection or not. If possible, we need to guarantee that no body can get access to the bank network even if they brought E1 modem at one of the ends (telco PoP).
View 11 Replies
View Related
