Strange Cisco router (2851) issue:

[G+_Eddie Foy]

Strange Cisco router (2851) issue:

I run a email server at home (on a Synology NAS).

If I log on my neighbor's Wifi, I can reach both incoming and SMTP,  no prob.  ( so A and MX records seem correct at my registrar) But if I'm on my internal LAN, no go unless I change the mail addresses to the internal IPs. (even using external/WAN IP over domain name doesn't work)

I can ping the domain name, and the WAN IP. (from internal LAN)

nmap from my cloud VPS shows the correct open ports.

But seems the router is blocking the mail connections from going out and in.  Is this a NAT issue?

I can get to my cloud based email via clients (Apple Mail, not web mail) and the server does receive outside mail.

 

Router config line for most holes poked through the router/NAT is (adjust for ports/services):

 

ip nat inside source static tcp 192.168.1.149 25 interface Gi0/0 25

[G+_Eddie Foy]

If I use a VPN (ProXPN) I can connect.

odd

[G+_Travis Hershberger]

Sounds like a DNS issue to me. I so wish DNS would just work, but it never seems to. Is the mail server showing the correct name and IP in the ARP table wherever your DNS server is?

[G+_Eddie Foy]

oooh, hang on.  Gonna flush the ARP.  Nope ARP flush didn't do it.  Not running a DNS server actively, just using the ubiquitous 208.67.222.220    208.67.220.222  8.8.8.8 and 8.8.4.4.  I thought it might be a DNS issue, but traceroute works, and it still fails with IPs

[G+_Jeff Brand]

The key (as you've demonstrated) is that it fails when you try to use your external IP to visit your local network. Looks like you've got a case of NAT Loopback: http://en.wikipedia.org/wiki/Network_address_translation#NAT_loopback

 

I've had this work on some routers and not on others.

 

I haven't found a specific fix but it's a common issue and I think your hardware will let you fix it with the right configuration. This page may help guide you in the right direction: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

 

I have a feeling Fr. Robert Ballecer, SJ knows how to fix this off of the top of his head.

[G+_Jeff Brand]

One quick follow-up: I read a passing mention that the proper fix isn't supported by Cisco IOS. if your internal clients (laptop) use the router's DNS then you can setup a workaround which may be good enough for you. Here's an excerpt from https://supportforums.cisco.com/discussion/11734176/nat-loopback

-------

 

ip host www.example.net 10.10.10.10  ! FQDN and real IP of your server

ip name-server 8.8.8.8               ! IP of your ISP-DNS

ip dns server

 

Now point the DNS of your internal clients to the router and each time they try to resolve www.example.net they get 10.10.10.10 instead of the real public IP.

[G+_Eddie Foy]

Thanks Jeff Brand.  Reading the forum posts, I think setting up and learning DNS is in order and probably the better solution.  Its been on my list for a while.

 

The natural NAT Hairpinning/loopback blocking actually makes sense.  (I noticed later pretty much everything was blocked via this, not just the mail server)