Daviddeousa
asked on
Allow pop and smtp traffic through cisco 1700
I have a Cisco 1700 router which has the K9 security patch running on it ... I have a mail server running on the inside which at the moment is set to collect mail from the ISP's catch all folder for the domain. What I want to do is to configure the router to allow the pop and smtp traffic through the firewall for the internal IP address of the mail server. The mail server has a static NAt setup for its IP. I can not run a DMZ as the router is a 1701 which has set WIC for ISDN and DSL ... the ISDN is set as a backup to the DSL. below is the basic config of the router:
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXX
!
security authentication failure rate 3 log
security passwords min-length 6
logging queue-limit 100
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$6lU0$4hMYCP7qkZtXXEOn1q Dti.
!
username xxxxxxxxx privilege 15 password 7 121D561111040254242E
username xxxxxxxxx privilege 2 secret 5 $1$mmBz$F8q7RtY474UQtcT/1I /.N/
username xxxxxxxxx privilege 2 secret 5 $1$Ls8t$4PrAOP894wyEornCM3 veT0
username xxxxxxxxx privilege 2 secret 5 $1$7Fpz$gqHGdzyK4hS7vaUmPn SN60
username xxxxxxxxx privilege 2 secret 5 $1$RQPH$FihXg.2DP3v5Y94GHR T6u1
username xxxxxxxxx privilege 2 secret 5 $1$9tC7$HfoIHK74BXSpEoJRBD o.Y0
username xxxxxxxxx privilege 2 secret 5 $1$S3cx$BTcFtVWhC0YT62VXCA wY7/
username xxxxxxxxx privilege 2 secret 5 $1$cKWx$cWe4iIgwH3haA.2pCm Ivw0
username xxxxxxxxx privilege 2 secret 5 $1$LYu0$HmYuOQI7txDiMdf4QV wl//
username xxxxxxxxx privilege 2 secret 5 $1$zm7Q$j7nZCcHtvOwN.jhMs9 rZh.
username xxxxxxxxx privilege 15 secret 5 $1$NZ4M$Qpd0nD11M4ftpBqy3I ws0/
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip domain name xxxxxxxxx.co.uk
ip name-server 195.200.0.78
ip name-server 195.200.0.71
ip name-server 192.200.0.76
!
!
no ip bootp server
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group cbcvpnuser
key 0 xxxxxxxxx
dns 192.168.2.2 195.200.0.76
wins 192.168.2.2
pool SDM_POOL_1
acl 104
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface FastEthernet0
description $FW_INSIDE$$ETH-LAN$xxxxxx xxx LAN
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip policy route-map OUT
speed auto
no cdp enable
!
interface Dialer1
description $FW_OUTSIDE$CBC ADSL Dialer
ip address xxxxxxxxx 255.255.255.224
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxx
ppp chap password 7 045F0E000C2E41
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.3.200 192.168.3.210
ip nat pool DCHP_pool xxxxxxxxx xxxxxxxxx netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_1 pool DCHP_pool overload
ip nat inside source static 192.168.2.2 xxxxxxxxx
ip nat inside source static 192.168.2.130 xxxxxxxxx.130 THIS IS THE MAIL SERVER'S NATTED IP
ip nat inside source static 192.168.2.140 xxxxxxxxx.140
ip nat inside source static 192.168.2.141 xxxxxxxxx.141
ip nat inside source static 192.168.2.142 xxxxxxxxx.142
ip nat inside source static 192.168.2.143 xxxxxxxxx.143
ip nat inside source static 192.168.2.144 xxxxxxxxx.144
ip nat inside source static 192.168.2.145 xxxxxxxxx.145
ip nat inside source static 192.168.2.146 xxxxxxxxx.146
ip nat inside source static 192.168.2.147 xxxxxxxxx.147
ip nat inside source static 192.168.2.148 xxxxxxxxx.148
ip nat inside source static 192.168.2.149 xxxxxxxxx.149
ip nat inside source static 192.168.2.132 xxxxxxxxx.132
ip nat inside source static 192.168.2.136 xxxxxxxxx.136
ip nat inside source static 192.168.2.133 xxxxxxxxx.133
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended NATOUT
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended nat
deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 host 192.168.2.209
deny ip 192.168.2.0 0.0.0.255 host 192.168.2.210
permit ip 192.168.2.0 0.0.0.255 any
logging trap debugging
logging xxxxxxxxx
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 100 deny ip xxxxxxxxx 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit udp any host xxxxxxxxx eq non500-isakmp
access-list 101 permit udp any host xxxxxxxxx eq isakmp
access-list 101 permit esp any host xxxxxxxxx
access-list 101 permit ahp any host xxxxxxxxx
access-list 101 permit ip 192.168.2.0 0.0.0.255 any log
access-list 101 permit tcp any eq ftp any eq ftp
access-list 101 permit icmp any host xxxxxxxxx echo-reply
access-list 101 permit icmp any host xxxxxxxxx time-exceeded
access-list 101 permit icmp any host xxxxxxxxx unreachable
access-list 101 permit ip host 192.168.1.20 any
access-list 101 permit ip host 69.3.40.74 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 150 permit ip 192.168.3.0 0.0.0.255 any
access-list 150 permit ip any 192.168.3.0 0.0.0.255
access-list 160 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
no cdp run
!
route-map OUT permit 10
match ip address 160
set ip next-hop 1.1.1.2
!
route-map SDM_RMAP_1 permit 1
match ip address nat
!
radius-server authorization permit missing Service-Type
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
end
I would appreciate some help. Thanks.
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XXXXXXXX
!
security authentication failure rate 3 log
security passwords min-length 6
logging queue-limit 100
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$6lU0$4hMYCP7qkZtXXEOn1q
!
username xxxxxxxxx privilege 15 password 7 121D561111040254242E
username xxxxxxxxx privilege 2 secret 5 $1$mmBz$F8q7RtY474UQtcT/1I
username xxxxxxxxx privilege 2 secret 5 $1$Ls8t$4PrAOP894wyEornCM3
username xxxxxxxxx privilege 2 secret 5 $1$7Fpz$gqHGdzyK4hS7vaUmPn
username xxxxxxxxx privilege 2 secret 5 $1$RQPH$FihXg.2DP3v5Y94GHR
username xxxxxxxxx privilege 2 secret 5 $1$9tC7$HfoIHK74BXSpEoJRBD
username xxxxxxxxx privilege 2 secret 5 $1$S3cx$BTcFtVWhC0YT62VXCA
username xxxxxxxxx privilege 2 secret 5 $1$cKWx$cWe4iIgwH3haA.2pCm
username xxxxxxxxx privilege 2 secret 5 $1$LYu0$HmYuOQI7txDiMdf4QV
username xxxxxxxxx privilege 2 secret 5 $1$zm7Q$j7nZCcHtvOwN.jhMs9
username xxxxxxxxx privilege 15 secret 5 $1$NZ4M$Qpd0nD11M4ftpBqy3I
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip domain name xxxxxxxxx.co.uk
ip name-server 195.200.0.78
ip name-server 195.200.0.71
ip name-server 192.200.0.76
!
!
no ip bootp server
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group cbcvpnuser
key 0 xxxxxxxxx
dns 192.168.2.2 195.200.0.76
wins 192.168.2.2
pool SDM_POOL_1
acl 104
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no cdp enable
!
interface FastEthernet0
description $FW_INSIDE$$ETH-LAN$xxxxxx
ip address 192.168.2.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
ip policy route-map OUT
speed auto
no cdp enable
!
interface Dialer1
description $FW_OUTSIDE$CBC ADSL Dialer
ip address xxxxxxxxx 255.255.255.224
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxx
ppp chap password 7 045F0E000C2E41
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.3.200 192.168.3.210
ip nat pool DCHP_pool xxxxxxxxx xxxxxxxxx netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_1 pool DCHP_pool overload
ip nat inside source static 192.168.2.2 xxxxxxxxx
ip nat inside source static 192.168.2.130 xxxxxxxxx.130 THIS IS THE MAIL SERVER'S NATTED IP
ip nat inside source static 192.168.2.140 xxxxxxxxx.140
ip nat inside source static 192.168.2.141 xxxxxxxxx.141
ip nat inside source static 192.168.2.142 xxxxxxxxx.142
ip nat inside source static 192.168.2.143 xxxxxxxxx.143
ip nat inside source static 192.168.2.144 xxxxxxxxx.144
ip nat inside source static 192.168.2.145 xxxxxxxxx.145
ip nat inside source static 192.168.2.146 xxxxxxxxx.146
ip nat inside source static 192.168.2.147 xxxxxxxxx.147
ip nat inside source static 192.168.2.148 xxxxxxxxx.148
ip nat inside source static 192.168.2.149 xxxxxxxxx.149
ip nat inside source static 192.168.2.132 xxxxxxxxx.132
ip nat inside source static 192.168.2.136 xxxxxxxxx.136
ip nat inside source static 192.168.2.133 xxxxxxxxx.133
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended NATOUT
permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended nat
deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 host 192.168.2.209
deny ip 192.168.2.0 0.0.0.255 host 192.168.2.210
permit ip 192.168.2.0 0.0.0.255 any
logging trap debugging
logging xxxxxxxxx
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 100 deny ip xxxxxxxxx 0.0.0.31 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit udp any host xxxxxxxxx eq non500-isakmp
access-list 101 permit udp any host xxxxxxxxx eq isakmp
access-list 101 permit esp any host xxxxxxxxx
access-list 101 permit ahp any host xxxxxxxxx
access-list 101 permit ip 192.168.2.0 0.0.0.255 any log
access-list 101 permit tcp any eq ftp any eq ftp
access-list 101 permit icmp any host xxxxxxxxx echo-reply
access-list 101 permit icmp any host xxxxxxxxx time-exceeded
access-list 101 permit icmp any host xxxxxxxxx unreachable
access-list 101 permit ip host 192.168.1.20 any
access-list 101 permit ip host 69.3.40.74 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 150 permit ip 192.168.3.0 0.0.0.255 any
access-list 150 permit ip any 192.168.3.0 0.0.0.255
access-list 160 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
no cdp run
!
route-map OUT permit 10
match ip address 160
set ip next-hop 1.1.1.2
!
route-map SDM_RMAP_1 permit 1
match ip address nat
!
radius-server authorization permit missing Service-Type
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
end
I would appreciate some help. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you found a solution?
Do you need more information?
This question will be classified as abandoned soon if we don't get some feedback from you.
Can you close out this question? See here for details:
https://www.experts-exchange.com/help.jsp#hs5
Thanks for your attention!