[CLUE-Tech] Feeble Mind

[David Anselmi]

Keith Hellman wrote:
[...]
> - P can telnet into a yahoo.com mail server - no problemo
> - P tries a telnet session to A with 'telnet A pop3' or 'telnet A smtp'
>   and NEVER connects (this is the PROBLEM).
> - W can do both telnet tests - no problemo
> - If W assumes P's IP, W can do both telnet tests - no problemo
> - Both P and W produce the same nmap results against A:  that being that
>   pop3 and smtp are open.

When you say yahoo mail server I assume you're telnetting to port 110 or 25.

nmap -sT is a TCP connect scan, which should be the same as what telnet 
does.  So if nmap says the port is open then telnet A pop3 should 
connect and say +OK.  That it doesn't is puzzling.

Can you get any kind of traffic dump off the firewall appliance? 
Rejected packets would be good, or something like tcpdump, especially if 
it shows the WAN interface.  See what the differences are for the two 
machines.  If you can't see the traffic on the firewall, tcpdump from a 
machine on the hub P and W use would be good.  Probably it would show P 
sending and nothing coming back.

You can look at the outbound packets from P and W (when they are using 
P's IP address) and see what is different.  Don't filter out anything on 
that hub--you may see P sending but replies going to W (if the router's 
arp cache is hosed, for example).

Can you look at the NAT tables on the firewall?  If it just does NAT and 
not PAT (substitutes source IP but not source port) then you may have 
problems with multiple machines going to the same server.  Does the 
firewall know which connection is which (from P->A and W->A)?  That 
seems more likely than a firewall on A's end.

Is A at your DSL ISP?  With my DSL, Qwest routes my traffic over their 
ATM network to my ISP, so at the IP level we look like we're on a point 
to point link.  In that case there shouldn't be any firewalling between 
you and A that would matter.

I'd be interested to hear the resolution, and to look at packet dumps if 
you want.

Dave