Unable to establish NNTP connection to outside NTTP server, help ?!

[Nimroduk]

Another day and another problem !
This one has me truely stumped and I don't know where (or how) to start...

I have a machine on a static IP address (192.168.1.1) that can access HTTP, MSN and ping/telnet to the NTTP server but the news reader application can not establish a connection !

I have stuck debuging on and also made a temporary ACL entry that allows all IP traffic from the NNTP server w/ log but I only receive (and permit) ICMP packets. I don't get any messages for tcp/udp traffic received (or dropped).

I've dumped out the NAT translations and IP Inspect sessions listed for the PC on the static IP (for the NNTP service). There are NAT entries but no IP Inspect sessions !?

Here is my running config:

!
version 12.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 7Six2600
!
no logging buffered
no logging console
enable secret 5 <cut>
enable password <cut>
!
clock timezone GMT 0
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp mss 1460
ip name-server 4.2.2.1
ip name-server 4.2.2.2
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.239 192.168.1.244
!
ip dhcp pool 7sixLAN
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.3 
   domain-name 7six
   dns-server 4.2.2.1 4.2.2.2 
   netbios-node-type h-node
   lease 5
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect udp idle-time 600
ip inspect dns-timeout 30
ip inspect tcp finwait-time 300
ip inspect tcp synwait-time 300
ip inspect name Ethernet0_0 realaudio
ip inspect name Ethernet0_0 sqlnet
ip inspect name Ethernet0_0 ftp
ip inspect name Ethernet0_0 fragment maximum 256 timeout 1
ip inspect name Ethernet0_0 tcp
ip inspect name Ethernet0_0 udp
ip audit notify log
ip audit po max-events 100
!
!
!
interface Ethernet0/0
 description WAN Connection (NTL)
 mac-address 0004.e22a.99f9
 bandwidth 10240
 ip address dhcp
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect Ethernet0_0 out
 half-duplex
 no cdp enable
 hold-queue 16 in
 hold-queue 4 out
!
interface Ethernet0/1
 description LAN Connection
 bandwidth 10240
 ip address 192.168.1.3 255.255.255.0
 ip access-group 102 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 full-duplex
 no cdp enable
 hold-queue 0 in
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 600
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 300
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static udp 192.168.1.10 3074 interface Ethernet0/0 3074
ip nat inside source static tcp 192.168.1.10 3074 interface Ethernet0/0 3074
ip nat inside source static tcp 192.168.1.10 88 interface Ethernet0/0 88
ip classless
no ip http server
!
logging trap debugging
logging source-interface Ethernet0/0
logging 92.168.1.11
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark permit anything from NNTP server and display it
access-list 101 permit ip 216.196.109.144 0.0.0.0 any log
access-list 101 permit udp 10.0.0.0 0.255.255.255 eq bootps any eq bootpc log
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any log
access-list 101 permit udp host 62.253.96.20 eq bootps any eq bootpc log
access-list 101 permit icmp host 62.253.96.20 any log
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any gt 1023
access-list 101 permit tcp any any eq 88
access-list 101 permit tcp any any eq 3074
access-list 101 permit udp any any eq 3074
access-list 101 permit tcp any eq 88 any
access-list 101 permit tcp any eq 3074 any
access-list 101 permit udp any eq 3074 any
access-list 101 permit ip any 192.168.1.0 0.0.0.255
access-list 101 permit gre any any
access-list 101 deny   icmp any any echo
access-list 101 deny   icmp any any information-request log
access-list 101 permit icmp any any
access-list 101 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 169.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny   ip any any log
access-list 102 permit tcp any any established
access-list 102 permit ip any 192.168.1.0 0.0.0.255
access-list 102 permit icmp any 192.168.1.0 0.0.0.255
access-list 102 permit gre any 192.168.1.0 0.0.0.255
access-list 102 deny   ip any any log
no cdp run
!
line con 0
line aux 0
line vty 0 4
 session-timeout 15 
 access-class 1 in
 password <cut>
 login
!
ntp server 207.46.232.189
end

Here is the NAT dump

7Six2600#show ip nat trans | inc 119
tcp 82.19.70.78:2321   192.168.1.1:2321   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2322   192.168.1.1:2322   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2324   192.168.1.1:2324   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2329   192.168.1.1:2329   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2330   192.168.1.1:2330   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2331   192.168.1.1:2331   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2333   192.168.1.1:2333   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2334   192.168.1.1:2334   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2336   192.168.1.1:2336   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2337   192.168.1.1:2337   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2341   192.168.1.1:2341   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2342   192.168.1.1:2342   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2344   192.168.1.1:2344   216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2347   192.168.1.1:2347   216.196.109.144:119 216.196.109.144:119

Here is a dump of the active CBAC rules for the machine with the static IP. There is nothing for port 119 (nntp) ?

7Six2600#show ip inspect sess | inc 192.168.1.1:
 Session 8135B0D8 (192.168.1.1:1964)=>(207.46.110.44:1863) tcp SIS_OPEN
 Session 81246140 (192.168.1.1:2201)=>(66.225.235.36:80) tcp SIS_OPEN
 Session 81302228 (192.168.1.1:2320)=>(66.225.235.36:80) tcp SIS_OPEN
 Session 812334E4 (192.168.1.1:2254)=>(216.196.100.135:80) tcp SIS_OPEN
 Session 81090FF4 (192.168.1.1:2240)=>(216.196.100.135:80) tcp SIS_OPEN
 Session 81291F28 (192.168.1.1:2217)=>(213.220.100.1:80) tcp SIS_CLOSING
 Session 810964BC (192.168.1.1:2218)=>(213.220.100.1:80) tcp SIS_CLOSING

Finally, here are the stats from Eth0/0 (the WAN connection):

7Six2600#show int eth0/0
Ethernet0/0 is up, line protocol is up 
  Hardware is AmdP2, address is 0004.e22a.99f9 (bia 0002.b912.fb20)
  Description: WAN Connection (NTL)
  Internet address is 82.19.70.78/22
  MTU 1500 bytes, BW 10240 Kbit, DLY 1000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:08, output 00:00:01, output hang never
  Last clearing of "show interface" counters 00:10:40
  Input queue: 0/16/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/4 (size/max)
  5 minute input rate 12000 bits/sec, 8 packets/sec
  5 minute output rate 2000 bits/sec, 14 packets/sec
     11526 packets input, 2463125 bytes, 0 no buffer
     Received 13 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     13237 packets output, 1099205 bytes, 0 underruns
     0 output errors, 8 collisions, 0 interface resets
     0 babbles, 0 late collision, 138 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
7Six2600#

Any ideas ??

 

[Nimroduk]

I've reloaded the router and I am now seeing CBAC sessions being created for the outgoing connections (state SIS_OPEN) but I am still not seeing any incoming (permitted or denied) traffic.

Is there a debug / show info command that can show the packet exchange for a particular host / port combo ? I am not sure how else to sniff the conversation going on between the modem and the router interface.

 

[Nimroduk]

Please close...

I cannot believe this but it was the NNTP client application that was causing the problem; even though it *worked* with my previous router! It appears that the 2611 was blocking the conversation as the application was generating malformed / wrong ordered tcp packets !

I've changed client and its working fine !!

Sometimes debugging networking issues is a bit like shooting in the dark