telnet issue - pulling my hair out

[ashleypoxon]

Hi guys,

I'm pulling my hair out over this at the minute;

I work on a domain which has their exchange hosted externally, which I dont see as a major problem, although I prefer it to be hosted externally. But I am having problems with telnet on a certain windows server 2008 box. I cannot telnet externally to any resources. I can telnet to resources internally. When I try to telnet to port 110 or 25 on the hosted exchange box, it says connection failed. If I try from another Windows Server 2008 box, it works.If I telnet internally from the troublesome box, to a virtual SMTP server, that works. It just appears to be external that is the problem.

There is no firewall on this server as it is disabled. The only difference is that this is an application server, running IIS.

Any ideas greatly appreciated.

 

[Davetoo]

Can you telnet from any system to the outside world? Check the hardware firewall protecting your network from the Internet to see if it's blocking telnet.



I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[ashleypoxon]

Thanks for the reply.

Yes from any other box in the domain I can telnet to outside resources, it's just this box that is not allowing telnet externally for some reason.

 

[itsp1965]

Are you at least able to ping hosts on the internet from this server? If so, are you sure you don't have the host based firewall enabled?

 

[ashleypoxon]

OK, so I have just discovered, thanks to the idea above, that I cannot ping anything externally from this box BUT I can browse the internet from it. I can ping externally from other boxes in this domain.

 

[ashleypoxon]

I have just rebuilt the IP and rebooting to see if that resolves it.

 

[iolair]

Check in the interface settings, firewall, that you have ICMP settings selected. They're off by default.

Iolair MacWalter
Network Engineer

 

[ashleypoxon]

IOloair, I will check that in a minute. do you mean the firewall on the domain? The local software firewall on Win2008 is turned off on this box. I've not changed any ICMP settings on any of the other 2008 boxes and they work OK.

I changed the IP address, just to make sure it was nothing on the firewall that was restricting the static IP address, and still same problem.

 

[Davetoo]

Do a tracert, see where it dies.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[ashleypoxon]

it dies straight away, doesnt even complete the first hop. sorry forgot to post that up.

 

[iolair]

Okay, are you IPv4? If so, try to ping the loopback, 127.0.0.1 - if that works, then the stack is working. Then try to ping the interface with it's own assigned address, for example, if you're 120.12.45.23, ping that. You've probably all ready done that. One other thought - can you turn off the IIS service and try it then? If it works, then I'd say IIS is doing something to stop the telnet. But, at this point, I'd probably be pulling my hair out, too.

Iolair MacWalter
Network Engineer

 

[ashleypoxon]

Thanks for the reply. I've already stopped the IIS service and still made no difference, can ping loopback and also it's own address. I can actually ping anything in it's domain, it's just externally.

where next?

 

[iolair]

Can you telnet on the regular telnet port, port 23 to the outside? I'm thinking that davetoo has the right idea, it sounds like maybe an access list problem on the router/firewall that lets machines out to the external stuff. Why only this server, I don't know. Since you can see everything on the inside, but not outside, the firewall could have one little line that blows it out. Does the server have a static IP or does it get it DHCP?

Iolair MacWalter
Network Engineer

 

[Davetoo]

The basics...post the ipconfig/all from the problem server.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[ashleypoxon]

Thanks for the help guys. I got a colleague to check over my work and there was an old firewall rule blocking this. it was from when the IP address had been used for another server. Weird that even when I change the servers IP address to another, it had still not worked.

Thanks again for helping though

 

[Davetoo]

Glad it's working...but that was the first thing we asked you to check. ;-)

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[kmcferrin]

Some firewall rules work based on IP addresses. Other rules may filter traffic based on zones or interfaces. If your situation is the latter then I could see that being why.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Enterprise Administrator

 

[iolair]

Glad you got it fixed. One thing I've noticed with my Cisco PIX is that it can take some time to "unlearn" an address and "relearn" a new one. Don't know why, but sometimes, I have to reboot a PIX to make a change. It's probably me. Again, glad you got it worked, it's no fun when that happens.

Iolair MacWalter
Network Engineer

 

[ashleypoxon]

cheers. and thanks for all the help