Cannot telnet from internal hosts to port 25

Hello everyone,

I am currently running a cisco 2621xm router with 4 static vpn tunnels ( peers).

All is going ok, however my only problem is that the internal hosts can recieve email but they cannot send them.

I cannot telnet from the internal Lan, anyone any ideas, and be gentle im a newcomer :)

aaa authentication login default local aaa authentication login userauthen group radius local aaa authorization network groupauthor local aaa session-id common ip subnet-zero ip cef ! ip name-server 212.159.13.49 ip name-server 212.159.13.50 ip name-server 212.159.6.10 ! ip inspect name sunshine ftp ip inspect name sunshine http ip inspect name sunshine tftp ip inspect name sunshine netshow ip inspect name sunshine realaudio ip inspect name sunshine sip ip inspect name sunshine skinny ip inspect name sunshine icmp ip inspect name sunshine rtsp ip inspect name sunshine streamworks ip inspect name sunshine tcp ip inspect name sunshine udp ip audit po max-events 100 ! username ! crypto isakmp policy 100 encr 3des hash md5 authentication pre-share group 2 lifetime 1800 ! crypto isakmp key address no-xauth crypto isakmp key address no-xauth crypto isakmp key address no-xauth crypto isakmp key address no-xauth crypto isakmp key address no-xauth crypto isakmp keepalive 30 5 ! crypto isakmp client configuration key pool ippool acl 108 ! crypto ipsec security-association lifetime seconds 42300 ! crypto ipsec transform-set sunshine esp-3des esp-md5-hmac crypto ipsec transform-set sunshine2 esp-des esp-md5-hmac crypto ipsec transform-set sunshine3 esp-aes esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set sunshine reverse-route ! crypto map sunshine client authentication list userauthen crypto map sunshine isakmp authorization list groupauthor crypto map sunshine client configuration address respond crypto map sunshine 10 ipsec-isakmp dynamic dynmap crypto map sunshine 100 ipsec-isakmp set peer set transform-set sunshine match address 120 crypto map sunshine 200 ipsec-isakmp set peer set transform-set sunshine match address 121 crypto map sunshine 300 ipsec-isakmp ! Incomplete set peer set transform-set sunshine match address 122 crypto map sunshine 400 ipsec-isakmp set peer set transform-set sunshine match address 123 crypto map sunshine 500 ipsec-isakmp set peer set transform-set sunshine match address 124 crypto map sunshine 600 ipsec-isakmp set peer set transform-set sunshine match address 125 ! ! interface ATM0/0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/0.1 point-to-point pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0/0 description Sunshine internal LAN ip address 89.0.0.10 255.0.0.0

Reply to
tweety
Loading thread data ...

Tweety

The usual port for TELNET is 23, not 25. Port 25 is for SMTP which supports e-mail.

Having said that I am not a Cisco specialist so maybe there are "tricks" Cisco implementations of IP and the supported protocols play which I know nothing about, this being such a "smoke and mirrors" business.

Chris Mas> Hello everyone,

Reply to
Chris Mason

Hi Chris,

Thanks for your input,

Sorry i meant im trying to telnet to port 25 (smtp) from host to host, and from host to internal mail server. i Keep getting " Connecting To host 192.168.10.2...Could not open connection to the host, on port 25: Connect failed

hehe smoke and mirrors i like that 1, anyone help with the smoke here?

Chris Mas> Tweety

Reply to
tweety

P=2ES Chris,

my name is Andrew Mason,

small world eh?

tweety wrote:

Reply to
tweety

I have had a bit of a look and it looks OK.

Is communication working between the hosts? i.e. ping. Possible issues are:- host rejecting conection routing crypto NAT

It is worth getting a look to see if you are getting any replies from anything in the path or the remote host.

Install Ethereal - ps I have had a lot of trouble with

0=2E99 for windows binary crashing - I like 0.10.14.

You just have to step through the path and check that it is working at each step.

sh ip nat tr sh ip access-l and check the counters. add more specific entries to the acl to check for your packets.

On the router if you

conf t logg mon deb end term mon deb ip icmp

telnet mail.server 25 source int fa 0/0

You may see if any intermediate routers are rejecting your packets for any reason.

Consider temporarily removing ACLs to eliminate acl problem.

I don't know what software you are running however changes were made such that the inbound ACL on a crypto interface did not see the de-crypted packets. If you have such a release (some 12.3 and all 12.4 (IIRC). PReviously ACLs were checked both before and after decryption, now it is only before.

Reply to
Bod43

Hi Bod thanks for the suggestions,

All good for the learning curve.

However it turns out that the problem was that mcafee viruscan console running on the remote lan was blocking telnet.

After reading 200+pages of logs i discovered this.

Sometimes i wish i had became a farmer :)

Thanks Bod and Chris for your replies it was most appreciated.

Andrew.

snipped-for-privacy@hotmail.co.uk wrote:

Reply to
tweety

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.