Re: SMTP and tcp ports

On Wed, 30 Apr 2008 12:30:35 -0400, News Reader <user@xxxxxxxxxxx>
wrote:

Bob Simon wrote:
I have an access list applied inbound on the outside interface of a
2600 connected to the edge router. I found that I needed smtp ACEs
for both the source port and for the destination port to our exchange
server.
50 permit tcp any eq smtp host 192.168.0.20 (99012 matches)
60 permit tcp any host 192.168.0.20 eq smtp log (880 matches)

Why is this? I thought inbound traffic to the server would be on
random destination ports allocated by PAT on the edge router; no?

You have static NAT setup for the SMTP server don't you?

e.g.: ip nat inside source static tcp 192.168.0.20 25 interface
<external-interface> 25

Yes, but NAT is handled by the edge router, which is managed by the
ISP, so I can't see exactly what is going on in that box.


That port is being committed for that purpose.

Any inbound connection setup would be directed at port 25.

Outbound SMTP connections from your server to an Internet-residing
server would be from source port 25 with returning traffic coming to
destination port 25.


With regard to random PAT ports, consider the following:

An internal client initiates a connection with source port 1200 to a
server on the web. The packet is forwarded by the NAT router with source
port 1200.

A second client initiates a connection with source port 1200
(coincidence) to any resource on the web. The NAT router will forward
the packet with a "random unused source port" NOT involved in a
pre-existing translation.

A random port is used when the desired source port is already being
translated.

The random source ports (destination ports on the return path) aid PAT
in associating returning packets with the correct internal host.

Thank you. This was helpful, but I still have a bit of confusion
about source and destination well-known ports that I mentioned in the
previous reply. Can you help me clear this up?
.

Relevant Pages

  • RE: L2TP + NAT-T
    ... "I'm using L2TP/IPSec since PPTP does not work through NAT. ... > Destination Port 0 ... > IKE Source Port 500 ... > IKE Destination Port 6159 ...
    (microsoft.public.win2000.ras_routing)
  • Re: SMTP and tcp ports
    ... This ACL would permit access to the internal SMTP server (listening on TCP port 25) from external clients and servers. ... The mail clients would be using a TCP source port>1023, and external mail servers would be using TCP source port 25, or TCP source port>1023. ...
    (comp.dcom.sys.cisco)
  • Re: Suspecious DNS traffic
    ... Every UDP and TCP packet has two port numbers, ... source port number. ... send a UDP packet with source port 53 and with destination port ... For TCP and stub DNS resolvers, ...
    (comp.protocols.dns.bind)
  • Re: SMTP and tcp ports
    ... for both the source port and for the destination port to our exchange ... I thought inbound traffic to the server would be on ... You have static NAT setup for the SMTP server don't you? ...
    (comp.dcom.sys.cisco)
  • Re: hashCode() for Custom classes
    ... it may be best to leave out the hash code of some of the members. ... source port number as fields. ... implementing hashCodefor the connection object. ... unique is the combination of source IP, source port, dest IP, ...
    (comp.lang.java.programmer)