Re: SMTP and tcp ports

---

• From: News Reader <user@xxxxxxxxxxx>
• Date: Wed, 30 Apr 2008 12:30:35 -0400

---

Bob Simon wrote:

I have an access list applied inbound on the outside interface of a
2600 connected to the edge router. I found that I needed smtp ACEs
for both the source port and for the destination port to our exchange
server.
50 permit tcp any eq smtp host 192.168.0.20 (99012 matches)
60 permit tcp any host 192.168.0.20 eq smtp log (880 matches)

Why is this? I thought inbound traffic to the server would be on
random destination ports allocated by PAT on the edge router; no?

You have static NAT setup for the SMTP server don't you?

e.g.: ip nat inside source static tcp 192.168.0.20 25 interface <external-interface> 25

That port is being committed for that purpose.

Any inbound connection setup would be directed at port 25.

Outbound SMTP connections from your server to an Internet-residing server would be from source port 25 with returning traffic coming to destination port 25.


With regard to random PAT ports, consider the following:

An internal client initiates a connection with source port 1200 to a server on the web. The packet is forwarded by the NAT router with source port 1200.

A second client initiates a connection with source port 1200 (coincidence) to any resource on the web. The NAT router will forward the packet with a "random unused source port" NOT involved in a pre-existing translation.

A random port is used when the desired source port is already being translated.

The random source ports (destination ports on the return path) aid PAT in associating returning packets with the correct internal host.

Best Regards,
News Reader
.

---

• Follow-Ups:
  • Re: SMTP and tcp ports
    • From: Bob Simon

• References:
  • SMTP and tcp ports
    • From: Bob Simon

• Prev by Date: Re: Policy Based Routing on Cisco L3 Switch 3550 with IOS 12.1(22)
• Next by Date: Re: A QoS dscp question
• Previous by thread: Re: SMTP and tcp ports
• Next by thread: Re: SMTP and tcp ports
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: FTP server ... With the original ftpd, here is what i get by analysing: ... Source port: 1025 Destination port: 65000 ... Connection not closed abruptly ... (microsoft.public.windowsce.embedded) Re: FTP server ... With the original ftpd, here is what i get by analysing: ... Source port: 1025 Destination port: 65000 ... Connection not closed abruptly ... (microsoft.public.windowsce.embedded) Re: FTP server ... With the original ftpd, here is what i get by analysing: ... Source port: 1025 Destination port: 65000 ... Connection not closed abruptly ... (microsoft.public.windowsce.embedded) Re: SMTP and tcp ports ... This ACE would not match clients (source port>1023). ... This ACE currently matches clients (destination port 25). ... A Cisco switch initiates an NTP connection to an NTP server on the router: ... (comp.dcom.sys.cisco) Re: L2TP VPN Connection Question ... The following is the output of portqry: ... Cannot use source port 500, this port is already in use ... > My question here concerns setting up the VPN connection through XP. ... (microsoft.public.windowsxp.network_web)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)