• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

pop3 receiving

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> pop3 receiving Page: [1]
Login
Message << Older Topic   Newer Topic >>
pop3 receiving - 17.Apr.2006 5:45:32 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
Why can't my w/s running the FWC receive pop3 traffic.
Post #: 1
RE: pop3 receiving - 17.Apr.2006 5:50:34 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi plna,

What have you already done to make that happen?
What email client are you using? If it is Outlook, please check out http://www.isaserver.org/articles/2004olpop3smtp.html.

HTH,
Stefaan

(in reply to plna)
Post #: 2
RE: pop3 receiving - 17.Apr.2006 5:57:18 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
I have printed out that article and followed it line for line through ISA server.  I have still not been able to receive pop3 to my outlook client.  I am also receiving e-mail from a imap source to my outlook client and that works fine.

(in reply to spouseele)
Post #: 3
RE: pop3 receiving - 17.Apr.2006 6:02:37 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi plna,

OK, so what is the ISA logging telling you *exactly* for those POP3 connections?

HTH,
Stefaan

(in reply to plna)
Post #: 4
RE: pop3 receiving - 17.Apr.2006 6:13:04 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
This is what I see in the log file when the client is active.
ASPEN 2006-04-17 15:58:11 TCP 172.16.208.107:2618 69.66.0.140:110 172.16.208.107 Internal External Denied 0xc0040017 - POP3 0 0 0 0 - - - - 0 0
ASPEN 2006-04-17 15:58:11 TCP 172.16.208.107:2618 69.66.0.140:110 172.16.208.107 Internal External Denied 0xc0040017 - POP3 0 0 0 0 - - - - 0 0

(in reply to spouseele)
Post #: 5
RE: pop3 receiving - 17.Apr.2006 11:21:19 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi plna,

the log excerpt is hard to read without the column headings. Please, export the relevant log entries and the column headings should be there too.

Also, try the following command on an internal client: 'telnet 69.66.0.140 110' (without quotes). You should get the answer '+OK Hello there.'. When you write then 'QUIT' the connection should be terminate. Please, post the log excerpt of this test too with the column headers included.

HTH,
Stefaan

(in reply to plna)
Post #: 6
RE: pop3 receiving - 18.Apr.2006 3:50:32 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
i am looking at the log from notepad.  not sure how to extract the info yet I will work on it. 
copy and paste into excel and it should line up.


Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
172.16.208.107 OUTLOOK.EXE:3:5.1   ASPEN -  TCP -      -    2001 16 0 0 0x0   0x0 0x0 Firewall 4/18/2006 12:33:29 PM 69.66.0.140 110 POP3 Initiated Connection Allow Outbound 172.16.208.107 iru6670 (?) Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2000 0 0 0 0x0   0x0 0x0 Firewall 4/18/2006 12:33:31 PM 172.16.192.123 1745 Unidentified IP Traffic Initiated Connection  172.16.208.107  Internal Local Host - -
172.16.208.107    ASPEN -  TCP -      -    2001 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:33:31 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2001 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:33:34 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2001 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:33:34 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2001 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:33:40 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2001 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:33:40 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2002 0 0 0 0x0   0x0 0x0 Firewall 4/18/2006 12:33:46 PM 172.16.192.123 8080 Unidentified IP Traffic Initiated Connection  172.16.208.107  Internal Local Host - -
0.0.0.0 Mozilla/4.01 [en] (Win95; I) No Proxy ASPEN  shttp.msg.yahoo.com TCP  Internet - -  -  - - - 0 219 490 410  200  0x40000004 0x600 Web Proxy Filter 4/18/2006 12:33:46 PM 216.155.194.191 80 http Allowed Connection Allow Outbound 172.16.208.107 anonymous Internal External POST http://shttp.msg.yahoo.com/notify/
172.16.208.107    ASPEN -  TCP -      -    2002 2000 734 698 0x80074e20   0x0 0x0 Firewall 4/18/2006 12:33:48 PM 172.16.192.123 8080 Unidentified IP Traffic Closed Connection  172.16.208.107  Internal Local Host - -
172.16.208.107    ASPEN -  TCP -      -    1969 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:34:28 PM 172.16.192.123 8080 Unidentified IP Traffic Denied Connection  172.16.208.107  Internal Local Host - -
172.16.208.107 OUTLOOK.EXE:3:5.1   ASPEN -  TCP -      -    2001 69969 144 0 0x80074e20   0x0 0x0 Firewall 4/18/2006 12:34:39 PM 69.66.0.140 110 POP3 Closed Connection Allow Outbound 172.16.208.107 iru6670 (?) Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2006 0 0 0 0x0   0x0 0x0 Firewall 4/18/2006 12:34:39 PM 69.66.0.140 110 POP3 Initiated Connection Allow Outbound 172.16.208.107  Internal External - -
172.16.208.107 telnet.exe:3:5.1   ASPEN -  TCP -      -    2009 0 0 0 0x0   0x0 0x0 Firewall 4/18/2006 12:35:05 PM 69.66.0.140 110 POP3 Initiated Connection Allow Outbound 172.16.208.107 iru6670 (?) Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2010 0 0 0 0x0   0x0 0x0 Firewall 4/18/2006 12:35:06 PM 172.16.192.123 1745 Unidentified IP Traffic Initiated Connection  172.16.208.107  Internal Local Host - -
172.16.208.107    ASPEN -  TCP -      -    2009 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:35:06 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2009 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:35:10 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2009 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:35:10 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2009 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:35:16 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2009 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED  0x0 0x0 Firewall 4/18/2006 12:35:16 PM 69.66.0.140 110 POP3 Denied Connection  172.16.208.107  Internal External - -
172.16.208.107    ASPEN -  TCP -      -    2010 22000 886 690 0x80074e21   0x0 0x0 Firewall 4/18/2006 12:35:28 PM 172.16.192.123 1745 Unidentified IP Traffic Closed Connection  172.16.208.107  Internal Local Host - -

< Message edited by plna -- 18.Apr.2006 7:37:26 PM >

(in reply to spouseele)
Post #: 7
RE: pop3 receiving - 18.Apr.2006 9:28:10 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi plna,

it sounds that the firewall policy allows the POP3 connection request but for some reason the ISA server isn't happy with the received response (0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED). The quickest way to find the real cause is to take a netmon trace at the ISA external interface.

HTH,
Stefaan

(in reply to plna)
Post #: 8
RE: pop3 receiving - 18.Apr.2006 9:31:59 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
ok i will try to figure that one out.

this is what i captured


107 4.287447 LOCAL 3COMBR3CCA8B TCP Control Bits: ....S., len:    0, seq:3110870188-3110870189, ack:         0, win:65535, src: 2814  dst:  110 iru6670b 69.66.0.140 IP
FRAME: Base frame properties
   FRAME: Time of capture = 4/18/2006 2:55:47 PM
   FRAME: Time delta from previous physical frame: 46875 microseconds
   FRAME: Frame number: 107
   FRAME: Total frame length: 62 bytes
   FRAME: Capture frame length: 62 bytes
   FRAME: Frame data: Number of data bytes remaining = 62 (0x003E)
ETHERNET:  EType = Internet IP (IPv4)
   ETHERNET: Destination address = 0800023CCA8B
       ETHERNET: 0....... = Individual address
       ETHERNET: .0...... = Universally administered address
   ETHERNET: Source address = 00306E1187B8
       ETHERNET: .0...... = Universally administered address
   ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = TCP - Transmission Control; Packet ID = 49427; Total IP Length = 48; Options = No Options
   IP: Version = IPv4; Header Length = 20
       IP: 0100.... = IP Version 4
       IP: ....0101 = Header Length 20
   IP: Type of Service = Normal Service
       IP: 000..... = Precedence - Routine
       IP: ...0.... = Normal Delay
       IP: ....0... = Normal Throughput
       IP: .....0.. = Normal Reliability
       IP: ......0. = Normal Monetary Cost
   IP: Total Length = 48 (0x30)
   IP: Identification = 49427 (0xC113)
   IP: Fragmentation Summary = 16384 (0x4000)
       IP: .1.............. = Cannot fragment datagram
       IP: ..0............. = Last fragment in datagram
       IP: ...0000000000000 = Fragment Offset 0 (0x0000)
   IP: Time to Live = 127 (0x7F)
   IP: Protocol = TCP - Transmission Control
   IP: Checksum = 30826 (0x786A)
   IP: Source Address = 172.16.208.107
   IP: Destination Address = 69.66.0.140
TCP: Control Bits: ....S., len:    0, seq:3110870188-3110870189, ack:         0, win:65535, src: 2814  dst:  110
   TCP: Source Port = 0x0AFE
   TCP: Destination Port = Post Office Protocol - Version 3
   TCP: Sequence Number = 3110870188 (0xB96C1CAC)
   TCP: Acknowledgement Number = 0 (0x0)
   TCP: Data Offset = 28 bytes
       TCP: 0111.... = Data Offset (28 bytes)
       TCP: ....0000 = Reserved bits
   TCP: Flags = 0x02 : ....S.
       TCP: ..0..... = No urgent data
       TCP: ...0.... = Acknowledgement field not significant
       TCP: ....0... = No Push function
       TCP: .....0.. = No Reset
       TCP: ......1. = Synchronize sequence numbers
       TCP: .......0 = Not the end of the data
   TCP: Window = 65535 (0xFFFF)
   TCP: Checksum = 0xDF50
   TCP: Urgent Pointer = 0 (0x0)
   TCP: Options
       TCP: Maximum Segment Size Option
           TCP: Option Type = Maximum Segment Size
           TCP: Option Length = 4 (0x4)
           TCP: Maximum Segment Size = 1460 (0x5B4)
       TCP: Option Nop = 1 (0x1)
       TCP: Option Nop = 1 (0x1)
       TCP: SACK Permitted Option
           TCP: Option Type = Sack Permitted
           TCP: Option Length = 2 (0x2)
00000:  08 00 02 3C CA 8B 00 30 6E 11 87 B8 08 00 45 00   ...<‹.0n.‡..E.
00010:  00 30 C1 13 40 00 7F 06 78 6A AC 10 D0 6B 45 42   .0.@..xj.kEB
00020:  00 8C 0A FE 00 6E B9 6C 1C AC 00 00 00 00 70 02   .Œ..nl.....p.
00030:  FF FF DF 50 00 00 02 04 05 B4 01 01 04 02         P......... 

126 6.131197 LOCAL 3COMBR3CCA8B TCP Control Bits: ....S., len:    0, seq:3310213350-3310213351, ack:         0, win:65535, src: 2816  dst:  110 iru6670b 69.66.0.140 IP
FRAME: Base frame properties
   FRAME: Time of capture = 4/18/2006 2:55:49 PM
   FRAME: Time delta from previous physical frame: 46875 microseconds
   FRAME: Frame number: 126
   FRAME: Total frame length: 62 bytes
   FRAME: Capture frame length: 62 bytes
   FRAME: Frame data: Number of data bytes remaining = 62 (0x003E)
ETHERNET:  EType = Internet IP (IPv4)
   ETHERNET: Destination address = 0800023CCA8B
       ETHERNET: 0....... = Individual address
       ETHERNET: .0...... = Universally administered address
   ETHERNET: Source address = 00306E1187B8
       ETHERNET: .0...... = Universally administered address
   ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = TCP - Transmission Control; Packet ID = 49453; Total IP Length = 48; Options = No Options
   IP: Version = IPv4; Header Length = 20
       IP: 0100.... = IP Version 4
       IP: ....0101 = Header Length 20
   IP: Type of Service = Normal Service
       IP: 000..... = Precedence - Routine
       IP: ...0.... = Normal Delay
       IP: ....0... = Normal Throughput
       IP: .....0.. = Normal Reliability
       IP: ......0. = Normal Monetary Cost
   IP: Total Length = 48 (0x30)
   IP: Identification = 49453 (0xC12D)
   IP: Fragmentation Summary = 16384 (0x4000)
       IP: .1.............. = Cannot fragment datagram
       IP: ..0............. = Last fragment in datagram
       IP: ...0000000000000 = Fragment Offset 0 (0x0000)
   IP: Time to Live = 127 (0x7F)
   IP: Protocol = TCP - Transmission Control
   IP: Checksum = 30800 (0x7850)
   IP: Source Address = 172.16.208.107
   IP: Destination Address = 69.66.0.140
TCP: Control Bits: ....S., len:    0, seq:3310213350-3310213351, ack:         0, win:65535, src: 2816  dst:  110
   TCP: Source Port = 0x0B00
   TCP: Destination Port = Post Office Protocol - Version 3
   TCP: Sequence Number = 3310213350 (0xC54DD8E6)
   TCP: Acknowledgement Number = 0 (0x0)
   TCP: Data Offset = 28 bytes
       TCP: 0111.... = Data Offset (28 bytes)
       TCP: ....0000 = Reserved bits
   TCP: Flags = 0x02 : ....S.
       TCP: ..0..... = No urgent data
       TCP: ...0.... = Acknowledgement field not significant
       TCP: ....0... = No Push function
       TCP: .....0.. = No Reset
       TCP: ......1. = Synchronize sequence numbers
       TCP: .......0 = Not the end of the data
   TCP: Window = 65535 (0xFFFF)
   TCP: Checksum = 0x1733
   TCP: Urgent Pointer = 0 (0x0)
   TCP: Options
       TCP: Maximum Segment Size Option
           TCP: Option Type = Maximum Segment Size
           TCP: Option Length = 4 (0x4)
           TCP: Maximum Segment Size = 1460 (0x5B4)
       TCP: Option Nop = 1 (0x1)
       TCP: Option Nop = 1 (0x1)
       TCP: SACK Permitted Option
           TCP: Option Type = Sack Permitted
           TCP: Option Length = 2 (0x2)
00000:  08 00 02 3C CA 8B 00 30 6E 11 87 B8 08 00 45 00   ...<‹.0n.‡..E.
00010:  00 30 C1 2D 40 00 7F 06 78 50 AC 10 D0 6B 45 42   .0-@..xP.kEB
00020:  00 8C 0B 00 00 6E C5 4D D8 E6 00 00 00 00 70 02   .Œ...nM....p.
00030:  FF FF 17 33 00 00 02 04 05 B4 01 01 04 02         .3......... 

146 7.256197 LOCAL 3COMBR3CCA8B TCP Control Bits: ....S., len:    0, seq:3110870188-3110870189, ack:         0, win:65535, src: 2814  dst:  110 iru6670b 69.66.0.140 IP
FRAME: Base frame properties
   FRAME: Time of capture = 4/18/2006 2:55:50 PM
   FRAME: Time delta from previous physical frame: 0 microseconds
   FRAME: Frame number: 146
   FRAME: Total frame length: 62 bytes
   FRAME: Capture frame length: 62 bytes
   FRAME: Frame data: Number of data bytes remaining = 62 (0x003E)
ETHERNET:  EType = Internet IP (IPv4)
   ETHERNET: Destination address = 0800023CCA8B
       ETHERNET: 0....... = Individual address
       ETHERNET: .0...... = Universally administered address
   ETHERNET: Source address = 00306E1187B8
       ETHERNET: .0...... = Universally administered address
   ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = TCP - Transmission Control; Packet ID = 49471; Total IP Length = 48; Options = No Options
   IP: Version = IPv4; Header Length = 20
       IP: 0100.... = IP Version 4
       IP: ....0101 = Header Length 20
   IP: Type of Service = Normal Service
       IP: 000..... = Precedence - Routine
       IP: ...0.... = Normal Delay
       IP: ....0... = Normal Throughput
       IP: .....0.. = Normal Reliability
       IP: ......0. = Normal Monetary Cost
   IP: Total Length = 48 (0x30)
   IP: Identification = 49471 (0xC13F)
   IP: Fragmentation Summary = 16384 (0x4000)
       IP: .1.............. = Cannot fragment datagram
       IP: ..0............. = Last fragment in datagram
       IP: ...0000000000000 = Fragment Offset 0 (0x0000)
   IP: Time to Live = 127 (0x7F)
   IP: Protocol = TCP - Transmission Control
   IP: Checksum = 30782 (0x783E)
   IP: Source Address = 172.16.208.107
   IP: Destination Address = 69.66.0.140
TCP: Control Bits: ....S., len:    0, seq:3110870188-3110870189, ack:         0, win:65535, src: 2814  dst:  110
   TCP: Source Port = 0x0AFE
   TCP: Destination Port = Post Office Protocol - Version 3
   TCP: Sequence Number = 3110870188 (0xB96C1CAC)
   TCP: Acknowledgement Number = 0 (0x0)
   TCP: Data Offset = 28 bytes
       TCP: 0111.... = Data Offset (28 bytes)
       TCP: ....0000 = Reserved bits
   TCP: Flags = 0x02 : ....S.
       TCP: ..0..... = No urgent data
       TCP: ...0.... = Acknowledgement field not significant
       TCP: ....0... = No Push function
       TCP: .....0.. = No Reset
       TCP: ......1. = Synchronize sequence numbers
       TCP: .......0 = Not the end of the data
   TCP: Window = 65535 (0xFFFF)
   TCP: Checksum = 0xDF50
   TCP: Urgent Pointer = 0 (0x0)
   TCP: Options
       TCP: Maximum Segment Size Option
           TCP: Option Type = Maximum Segment Size
           TCP: Option Length = 4 (0x4)
           TCP: Maximum Segment Size = 1460 (0x5B4)
       TCP: Option Nop = 1 (0x1)
       TCP: Option Nop = 1 (0x1)
       TCP: SACK Permitted Option
           TCP: Option Type = Sack Permitted
           TCP: Option Length = 2 (0x2)
00000:  08 00 02 3C CA 8B 00 30 6E 11 87 B8 08 00 45 00   ...<‹.0n.‡..E.
00010:  00 30 C1 3F 40 00 7F 06 78 3E AC 10 D0 6B 45 42   .0?@..x>.kEB
00020:  00 8C 0A FE 00 6E B9 6C 1C AC 00 00 00 00 70 02   .Œ..nl.....p.
00030:  FF FF DF 50 00 00 02 04 05 B4 01 01 04 02         P......... 


358 9.068697 LOCAL 3COMBR3CCA8B TCP Control Bits: ....S., len:    0, seq:3310213350-3310213351, ack:         0, win:65535, src: 2816  dst:  110 iru6670b 69.66.0.140 IP
FRAME: Base frame properties
   FRAME: Time of capture = 4/18/2006 2:55:51 PM
   FRAME: Time delta from previous physical frame: 0 microseconds
   FRAME: Frame number: 358
   FRAME: Total frame length: 62 bytes
   FRAME: Capture frame length: 62 bytes
   FRAME: Frame data: Number of data bytes remaining = 62 (0x003E)
ETHERNET:  EType = Internet IP (IPv4)
   ETHERNET: Destination address = 0800023CCA8B
       ETHERNET: 0....... = Individual address
       ETHERNET: .0...... = Universally administered address
   ETHERNET: Source address = 00306E1187B8
       ETHERNET: .0...... = Universally administered address
   ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = TCP - Transmission Control; Packet ID = 49495; Total IP Length = 48; Options = No Options
   IP: Version = IPv4; Header Length = 20
       IP: 0100.... = IP Version 4
       IP: ....0101 = Header Length 20
   IP: Type of Service = Normal Service
       IP: 000..... = Precedence - Routine
       IP: ...0.... = Normal Delay
       IP: ....0... = Normal Throughput
       IP: .....0.. = Normal Reliability
       IP: ......0. = Normal Monetary Cost
   IP: Total Length = 48 (0x30)
   IP: Identification = 49495 (0xC157)
   IP: Fragmentation Summary = 16384 (0x4000)
       IP: .1.............. = Cannot fragment datagram
       IP: ..0............. = Last fragment in datagram
       IP: ...0000000000000 = Fragment Offset 0 (0x0000)
   IP: Time to Live = 127 (0x7F)
   IP: Protocol = TCP - Transmission Control
   IP: Checksum = 30758 (0x7826)
   IP: Source Address = 172.16.208.107
   IP: Destination Address = 69.66.0.140
TCP: Control Bits: ....S., len:    0, seq:3310213350-3310213351, ack:         0, win:65535, src: 2816  dst:  110
   TCP: Source Port = 0x0B00
   TCP: Destination Port = Post Office Protocol - Version 3
   TCP: Sequence Number = 3310213350 (0xC54DD8E6)
   TCP: Acknowledgement Number = 0 (0x0)
   TCP: Data Offset = 28 bytes
       TCP: 0111.... = Data Offset (28 bytes)
       TCP: ....0000 = Reserved bits
   TCP: Flags = 0x02 : ....S.
       TCP: ..0..... = No urgent data
       TCP: ...0.... = Acknowledgement field not significant
       TCP: ....0... = No Push function
       TCP: .....0.. = No Reset
       TCP: ......1. = Synchronize sequence numbers
       TCP: .......0 = Not the end of the data
   TCP: Window = 65535 (0xFFFF)
   TCP: Checksum = 0x1733
   TCP: Urgent Pointer = 0 (0x0)
   TCP: Options
       TCP: Maximum Segment Size Option
           TCP: Option Type = Maximum Segment Size
           TCP: Option Length = 4 (0x4)
           TCP: Maximum Segment Size = 1460 (0x5B4)
       TCP: Option Nop = 1 (0x1)
       TCP: Option Nop = 1 (0x1)
       TCP: SACK Permitted Option
           TCP: Option Type = Sack Permitted
           TCP: Option Length = 2 (0x2)
00000:  08 00 02 3C CA 8B 00 30 6E 11 87 B8 08 00 45 00   ...<‹.0n.‡..E.
00010:  00 30 C1 57 40 00 7F 06 78 26 AC 10 D0 6B 45 42   .0W@..x&.kEB
00020:  00 8C 0B 00 00 6E C5 4D D8 E6 00 00 00 00 70 02   .Œ...nM....p.
00030:  FF FF 17 33 00 00 02 04 05 B4 01 01 04 02         .3......... 



< Message edited by plna -- 18.Apr.2006 10:26:09 PM >

(in reply to spouseele)
Post #: 9
RE: pop3 receiving - 19.Apr.2006 8:59:07 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi plna,

can you post the result of the command 'ipconfig /all' on the ISA server?
Also, what relationship is defined between the internal and external network?
Where did you take the netmon trace? At the ISA external interface?

HTH,
Stefaan




(in reply to plna)
Post #: 10
RE: pop3 receiving - 26.Apr.2006 11:11:11 PM   
plna

 

Posts: 28
Joined: 12.Mar.2006
Status: offline
Here is the ipconfig /all
I did the monitoring on the external nic.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
D:\Documents and Settings\administrator.IFBF>ipconfig /all
Windows IP Configuration
  Host Name . . . . . . . . . . . . : ASPEN
  Primary Dns Suffix  . . . . . . . : ifbf.org
  Node Type . . . . . . . . . . . . : Unknown
  IP Routing Enabled. . . . . . . . : Yes
  WINS Proxy Enabled. . . . . . . . : Yes
  DNS Suffix Search List. . . . . . : ifbf.org
                                      ifbf.net
                                      fbfs.com
Ethernet adapter Public 63.224.176.123:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN Adapter
  Physical Address. . . . . . . . . : 00-30-6E-11-87-B8
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 63.224.176.123
  Subnet Mask . . . . . . . . . . . : 255.255.255.224
  Default Gateway . . . . . . . . . : 63.224.176.97
  DNS Servers . . . . . . . . . . . : 205.171.3.65
                                      205.171.2.65
Ethernet adapter Local 172.16.192.123:
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN Adapter #2
  Physical Address. . . . . . . . . : 00-30-6E-11-87-B7
  DHCP Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 172.16.192.123
  Subnet Mask . . . . . . . . . . . : 255.255.192.0
  Default Gateway . . . . . . . . . :
  DNS Servers . . . . . . . . . . . : 172.16.208.100
                                      172.16.208.7
D:\Documents and Settings\administrator.IFBF>

(in reply to spouseele)
Post #: 11
RE: pop3 receiving - 30.Apr.2006 5:18:10 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi plna,

according to the posted info, it sounds that there is a route relationship defined between the internal and the external network. Shouldn't this be a NAT relationship instead?

If you look at the frames captured, you will see that the source mac = 00-30-6E-11-87-B8 (this is the ISA external interface according to the ipconfig) but the source IP = 172.16.192.123 (internal DNS server). Of course, because the source IP is a private IP, no one on the Internet will respond to those requests.

HTH,
Stefaan

(in reply to plna)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Firewall Client >> pop3 receiving Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts