Question : Problem: unable to configure external client to receive pop mail

I am in the process of configuring pop mail on my server at home.  I can set up my clients inside my network and they receive all mail sent to them.  However, when I am outside of my network I am unable to configure outlook.  It will not authenticate.  Also, when I configure my internal e-mail clients, I have to use my internal servers ip address, 192.168.X.X, not the domain name, mail.alabamaebaugh.com.  From the inside and outside I can telnet to my mail server ports 110 and 25.  I am thinking it is a nat issue on my 2600.

Here is my config:
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2620
!
boot-start-marker
boot-end-marker
!
enable secret
enable password
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
!
!
ip domain name alabamaebaugh.com
ip name-server
ip name-server
ip dhcp excluded-address 192.168.1.1 192.168.1.30
ip dhcp excluded-address 192.168.1.150 192.168.1.255
!
ip dhcp pool 192.168.1.0/24
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
!
no ip bootp server
ip cef
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed auto
 full-duplex
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet1/0
 ip address 24.214.175.252 255.255.255.0
 ip access-group 1 in
 ip nat outside
 full-duplex
!
ip nat inside source list 1 interface FastEthernet1/0 overload
ip nat inside source static tcp 192.168.1.102 3389 24.214.175.252 3389 extendable
ip nat inside source static tcp 192.168.1.102 21 24.214.175.252 21 extendable
ip nat inside source static tcp 192.168.1.28 22 24.214.175.252 22 extendable
ip nat inside source static tcp 192.168.1.1 23 24.214.175.252 23 extendable
ip nat inside source static tcp 192.168.1.10 515 24.214.175.252 515 extendable
ip nat inside source static tcp 192.168.1.102 443 24.214.175.252 443 extendable
ip nat inside source static tcp 192.198.1.102 8099 24.214.175.252 8099 extendable
ip nat inside source static tcp 192.198.1.102 8098 24.214.175.252 8098 extendable
ip nat inside source static tcp 192.168.1.102 25 24.214.175.252 25 extendable
ip nat inside source static tcp 192.168.1.102 110 24.214.175.252 110 extendable
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 24.214.175.1
!
!
access-list 1 deny   63.245.209.31
access-list 1 deny   220.128.237.183
access-list 1 deny   202.75.55.169
access-list 1 deny   198.78.220.126
access-list 1 deny   63.245.209.49
access-list 1 deny   72.246.30.145
access-list 1 deny   125.79.18.26
access-list 1 deny   207.46.211.124
access-list 1 deny   89.32.206.218
access-list 1 deny   61.129.52.230
access-list 1 deny   192.168.2.17
access-list 1 deny   204.160.105.126
access-list 1 deny   212.244.126.217
access-list 1 deny   219.94.148.158
access-list 1 deny   64.202.165.178
access-list 1 deny   221.174.24.197
access-list 1 deny   222.200.161.12
access-list 1 deny   222.181.93.230
access-list 1 deny   65.55.184.29
access-list 1 deny   64.4.23.190
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit any
!
line con 0
 password
 login
line aux 0
line vty 0 4
 password
 login
!
!
end

Here is my nat translation
2620#show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
tcp 24.214.175.252:479 24.214.175.252:80  65.214.44.129:44873 65.214.44.129:448
3
tcp 24.214.175.252:8098 192.198.1.102:8098 ---               ---
tcp 24.214.175.252:8099 192.198.1.102:8099 ---               ---
tcp 24.214.175.252:21  192.168.1.102:21   ---                ---
tcp 24.214.175.252:22  192.168.1.28:22    ---                ---
tcp 24.214.175.252:23  192.168.1.1:23     ---                ---
tcp 24.214.175.252:25  192.168.1.102:25   ---                ---
tcp 24.214.175.252:496 24.214.175.252:80  4.79.142.206:60204 4.79.142.206:60204
tcp 24.214.175.252:477 24.214.175.252:80  65.214.44.129:43034 65.214.44.129:4304
tcp 24.214.175.252:110 192.168.1.102:110  ---                ---
tcp 24.214.175.252:485 24.214.175.252:80  63.123.238.8:55623 63.123.238.8:55623
tcp 24.214.175.252:489 24.214.175.252:80  65.214.44.129:34965 65.214.44.129:3495
tcp 24.214.175.252:443 192.168.1.102:443  ---                ---
tcp 24.214.175.252:515 192.168.1.10:515   ---                ---
tcp 24.214.175.252:6   24.214.175.252:80  63.123.238.8:11486 63.123.238.8:11486
tcp 24.214.175.252:475 24.214.175.252:80  65.214.44.129:60050 65.214.44.129:6000
tcp 24.214.175.252:4413 192.168.1.37:4413 199.106.209.226:80 199.106.209.226:80
tcp 24.214.175.252:491 24.214.175.252:80  65.214.44.129:43690 65.214.44.129:4360
Pro Inside global      Inside local       Outside local      Outside global
tcp 24.214.175.252:1695 192.168.1.102:1695 72.5.124.55:80    72.5.124.55:80
tcp 24.214.175.252:23  192.168.1.1:23     69.18.92.132:49761 69.18.92.132:49761
tcp 24.214.175.252:2   24.214.175.252:80  63.123.238.8:1702  63.123.238.8:1702
tcp 24.214.175.252:504 24.214.175.252:80  65.214.44.129:40095 65.214.44.129:4005
tcp 24.214.175.252:3389 192.168.1.102:3389 ---               ---
tcp 24.214.175.252:493 24.214.175.252:80  65.214.44.129:58727 65.214.44.129:5877
tcp 24.214.175.252:481 24.214.175.252:80  63.123.238.8:40814 63.123.238.8:40814

Answer : Problem: unable to configure external client to receive pop mail

The second problem is indeed a NAT issue.  On IOS, I do not believe there is a mechanism to hairpin NAT like the PIX/ASA platform will now do.  This is due to the fact that packet has to traverse the IOS from an outside NAT interface to an inside NAT interface (or vice vs) in order to be NATted.

The first problem is a problem with your Outlook client configuration.  When I try to POP into your address 24.214.175.252, I get the following:

+OK <[email protected]aebaugh.com>, POP3 server ready.

This means your router is NATting properly and is allowing access.  Nothing you change on the router will therefore fix your authentication problem.

Furthermore, you should not use the same ACL for your NAT list and your filter list.

Delete all of the deny entries, as well as the permit any from access-list 1 and put them in access-list 2.  Then apply access-group 2 to the interface.

HTH

kr
Random Solutions  
 
programming4us programming4us