jagdhillon
asked on
Cisco Router & PIX 515 allow Email through firewall to Exchange server
needs some help configuring router/pix to allow email to be forwarded onto our local Exchange server
what needs to be configured on the router and Firewall to allow the companys emails from external mx record 195.x.x.139 to get to the local exchange server 10.248.8.1?
Current router config:
interface FastEthernet0
description connected to EthernetLAN
ip address 195.x.x.137 255.255.255.x
ip access-group 115 in
ip nat inside
speed auto
!
interface Serial0
ip address 194.170.x.x 255.255.255.x
ip access-group 115 in
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 115 deny udp any any eq tftp
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 permit ip any any
dialer-list 1 protocol ip permit
Current PIX Firewall:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
access-list aclin permit icmp any any
access-list aclin permit icmp host 195.x.x.139 any
access-list aclin permit tcp host 195.x.x.139 eq smtp any
access-list aclin permit tcp host 195.x.x.139 eq www any
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 195.x.x.138 255.255.255.x
ip address inside 10.248.200.3 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
arp timeout 14400
global (outside) 1 195.x.x.140
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group aclin in interface outside
route outside 0.0.0.0 0.0.0.0 195.x.x.137 1
route inside 10.235.0.0 255.255.0.0 10.248.200.2 1
route inside 10.237.0.0 255.255.0.0 10.248.200.2 1
route inside 10.240.0.0 255.255.0.0 10.248.200.4 1
route inside 10.242.0.0 255.255.0.0 10.248.200.5 1
route inside 10.243.0.0 255.255.0.0 10.248.200.4 1
route inside 10.244.0.0 255.255.0.0 10.248.200.4 1
route inside 10.245.0.0 255.255.0.0 10.248.200.4 1
route inside 10.246.0.0 255.255.0.0 10.248.200.5 1
route inside 10.247.0.0 255.255.0.0 10.248.200.8 1
route inside 10.255.0.0 255.255.0.0 10.248.200.2 1
route inside 192.168.9.0 255.255.255.0 10.248.200.2 1
route inside 192.168.11.0 255.255.255.0 10.248.200.2 1
what needs to be configured on the router and Firewall to allow the companys emails from external mx record 195.x.x.139 to get to the local exchange server 10.248.8.1?
Current router config:
interface FastEthernet0
description connected to EthernetLAN
ip address 195.x.x.137 255.255.255.x
ip access-group 115 in
ip nat inside
speed auto
!
interface Serial0
ip address 194.170.x.x 255.255.255.x
ip access-group 115 in
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 115 deny udp any any eq tftp
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 permit ip any any
dialer-list 1 protocol ip permit
Current PIX Firewall:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
access-list aclin permit icmp any any
access-list aclin permit icmp host 195.x.x.139 any
access-list aclin permit tcp host 195.x.x.139 eq smtp any
access-list aclin permit tcp host 195.x.x.139 eq www any
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 195.x.x.138 255.255.255.x
ip address inside 10.248.200.3 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
arp timeout 14400
global (outside) 1 195.x.x.140
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group aclin in interface outside
route outside 0.0.0.0 0.0.0.0 195.x.x.137 1
route inside 10.235.0.0 255.255.0.0 10.248.200.2 1
route inside 10.237.0.0 255.255.0.0 10.248.200.2 1
route inside 10.240.0.0 255.255.0.0 10.248.200.4 1
route inside 10.242.0.0 255.255.0.0 10.248.200.5 1
route inside 10.243.0.0 255.255.0.0 10.248.200.4 1
route inside 10.244.0.0 255.255.0.0 10.248.200.4 1
route inside 10.245.0.0 255.255.0.0 10.248.200.4 1
route inside 10.246.0.0 255.255.0.0 10.248.200.5 1
route inside 10.247.0.0 255.255.0.0 10.248.200.8 1
route inside 10.255.0.0 255.255.0.0 10.248.200.2 1
route inside 192.168.9.0 255.255.255.0 10.248.200.2 1
route inside 192.168.11.0 255.255.255.0 10.248.200.2 1
You can add static NAT translation on PIX to point to internal mail server. If it does not work, then where is the MX located with respect to ROUTER and PIX, is it a DMZ that you care trying to have? What is the default gateway on your external MX? Can you past complete configurations or router and PIX?
If you're router isn't blocking any inbound TCP connections to the 195.x.x.139 address, without seeing the rest of your PIX or router configs, here's what you'll want to do on the PIX:
no fixup protocol smtp 25 <- important for an Exchange server
clear xlate
static (inside,outside) 195.x.x.139 10.248.8.1
no access-list aclin permit tcp host 195.x.x.139 eq smtp any <- line is "backwards"
no access-list aclin permit tcp host 195.x.x.139 eq www any <- line is "backwards"
access-list aclin permit tcp any host 195.x.x.139 eq smtp
access-list aclin permit tcp any host 195.x.x.139 eq www
access-group aclin in interface outside
If still having problems, please post your entire "santized" configs for both router & PIX (passwords removed, public IPs masked as you've done above).
cheers
no fixup protocol smtp 25 <- important for an Exchange server
clear xlate
static (inside,outside) 195.x.x.139 10.248.8.1
no access-list aclin permit tcp host 195.x.x.139 eq smtp any <- line is "backwards"
no access-list aclin permit tcp host 195.x.x.139 eq www any <- line is "backwards"
access-list aclin permit tcp any host 195.x.x.139 eq smtp
access-list aclin permit tcp any host 195.x.x.139 eq www
access-group aclin in interface outside
If still having problems, please post your entire "santized" configs for both router & PIX (passwords removed, public IPs masked as you've done above).
cheers
Note: the above assumes you're not NAT'ing 195.x.x.139 to a different IP to the outside on your router.
cheers
cheers
ASKER
router config:
**************************
interface FastEthernet0
description connected to EthernetLAN
ip address 195.xxx.xxx.137 255.255.255.248
ip access-group 115 in
ip nat inside
speed auto
!
interface Serial0
ip address 194.xxx.xxx.238 255.255.255.252
ip access-group 115 in
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 115 deny udp any any eq tftp
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 permit ip any any
dialer-list 1 protocol ip permit
**************************
Pix Config:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname firewall
domain-name xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.252.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 192.168.7.0 255.255.255.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 192.168.12.0 255.255.252.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.249.0.0 255.255.0.0
access-list 110 permit ip 10.244.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.244.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.245.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.245.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.240.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.243.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.243.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.242.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.255.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.242.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.11.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.11.0 255.250.255.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.255.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 110 permit ip 10.237.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.237.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.238.0.0 255.255.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.230.0.0 255.255.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.236.0.0 255.255.0.0
access-list 110 permit ip 10.235.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.235.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.233.0.0 255.255.0.0
access-list 110 permit ip 10.246.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.246.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.247.0.0 255.255.0.0
access-list 110 permit ip 10.247.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 130 permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 130 permit ip 10.248.0.0 255.255.0.0 192.168.7.0 255.255.255.0
access-list 130 permit ip 10.248.0.0 255.255.0.0 10.238.0.0 255.255.0.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.252.0
access-list 140 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 192.168.2.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.248.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.248.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.244.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.244.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.245.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.245.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.246.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.246.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.240.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.243.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.255.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.242.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.255.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.242.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 192.168.11.0 255.255.255.2 1.0.0.0 255.0.0.0
access-list 140 permit ip 192.168.11.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.237.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.237.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.243.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.235.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.235.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.247.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 150 permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.252.0
access-list 150 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 150 permit ip 10.248.0.0 255.255.0.0 192.168.12.0 255.255.252.0
access-list 160 permit ip 10.248.0.0 255.255.0.0 10.249.0.0 255.255.0.0
access-list 160 permit ip 10.248.0.0 255.255.0.0 10.236.0.0 255.255.0.0
access-list 180 permit ip 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 180 permit udp 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0 eq isakmp
access-list 180 permit udp 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 180 permit udp 10.244.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 180 permit ip 10.244.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 190 permit ip 10.248.0.0 255.255.0.0 10.230.0.0 255.255.0.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging history debugging
logging facility 21
logging host inside 10.248.92.75
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 195.xxx.xxx.138 255.255.255.248
ip address inside 10.248.200.3 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 195.xxx.xxx.140
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 195.xxx.xxx.137 1
route inside 10.235.0.0 255.255.0.0 10.248.200.2 1
route inside 10.237.0.0 255.255.0.0 10.248.200.2 1
route inside 10.240.0.0 255.255.0.0 10.248.200.4 1
route inside 10.242.0.0 255.255.0.0 10.248.200.5 1
route inside 10.243.0.0 255.255.0.0 10.248.200.4 1
route inside 10.244.0.0 255.255.0.0 10.248.200.4 1
route inside 10.245.0.0 255.255.0.0 10.248.200.4 1
route inside 10.246.0.0 255.255.0.0 10.248.200.5 1
route inside 10.247.0.0 255.255.0.0 10.248.200.8 1
route inside 10.255.0.0 255.255.0.0 10.248.200.2 1
route inside 192.168.9.0 255.255.255.0 10.248.200.2 1
route inside 192.168.11.0 255.255.255.0 10.248.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.248.92.75 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
**************************
interface FastEthernet0
description connected to EthernetLAN
ip address 195.xxx.xxx.137 255.255.255.248
ip access-group 115 in
ip nat inside
speed auto
!
interface Serial0
ip address 194.xxx.xxx.238 255.255.255.252
ip access-group 115 in
ip nat outside
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
access-list 115 deny udp any any eq tftp
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 permit ip any any
dialer-list 1 protocol ip permit
**************************
Pix Config:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname firewall
domain-name xxx
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 110 permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.252.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 192.168.7.0 255.255.255.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 192.168.12.0 255.255.252.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.249.0.0 255.255.0.0
access-list 110 permit ip 10.244.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.244.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.245.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.245.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.240.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.243.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.243.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.242.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.255.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.242.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.11.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 192.168.11.0 255.250.255.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.255.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 110 permit ip 10.237.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.237.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.238.0.0 255.255.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.230.0.0 255.255.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.236.0.0 255.255.0.0
access-list 110 permit ip 10.235.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.235.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.233.0.0 255.255.0.0
access-list 110 permit ip 10.246.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 110 permit ip 10.246.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 110 permit ip 10.248.0.0 255.255.0.0 10.247.0.0 255.255.0.0
access-list 110 permit ip 10.247.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 130 permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list 130 permit ip 10.248.0.0 255.255.0.0 192.168.7.0 255.255.255.0
access-list 130 permit ip 10.248.0.0 255.255.0.0 10.238.0.0 255.255.0.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 120 permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.252.0
access-list 140 permit ip 192.168.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 192.168.2.0 255.255.255.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.248.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.248.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.244.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.244.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.245.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.245.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.246.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.246.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.240.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.243.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.255.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.242.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.255.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.242.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 192.168.11.0 255.255.255.2 1.0.0.0 255.0.0.0
access-list 140 permit ip 192.168.11.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.237.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.237.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.243.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.235.0.0 255.255.0.0 1.0.0.0 255.0.0.0
access-list 140 permit ip 10.235.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list 140 permit ip 10.247.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list 150 permit ip 192.168.2.0 255.255.255.0 192.168.12.0 255.255.252.0
access-list 150 permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list 150 permit ip 10.248.0.0 255.255.0.0 192.168.12.0 255.255.252.0
access-list 160 permit ip 10.248.0.0 255.255.0.0 10.249.0.0 255.255.0.0
access-list 160 permit ip 10.248.0.0 255.255.0.0 10.236.0.0 255.255.0.0
access-list 180 permit ip 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 180 permit udp 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0 eq isakmp
access-list 180 permit udp 10.240.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 180 permit udp 10.244.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 180 permit ip 10.244.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list 190 permit ip 10.248.0.0 255.255.0.0 10.230.0.0 255.255.0.0
pager lines 24
logging on
logging timestamp
logging trap debugging
logging history debugging
logging facility 21
logging host inside 10.248.92.75
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 195.xxx.xxx.138 255.255.255.248
ip address inside 10.248.200.3 255.255.0.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 195.xxx.xxx.140
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 195.xxx.xxx.137 1
route inside 10.235.0.0 255.255.0.0 10.248.200.2 1
route inside 10.237.0.0 255.255.0.0 10.248.200.2 1
route inside 10.240.0.0 255.255.0.0 10.248.200.4 1
route inside 10.242.0.0 255.255.0.0 10.248.200.5 1
route inside 10.243.0.0 255.255.0.0 10.248.200.4 1
route inside 10.244.0.0 255.255.0.0 10.248.200.4 1
route inside 10.245.0.0 255.255.0.0 10.248.200.4 1
route inside 10.246.0.0 255.255.0.0 10.248.200.5 1
route inside 10.247.0.0 255.255.0.0 10.248.200.8 1
route inside 10.255.0.0 255.255.0.0 10.248.200.2 1
route inside 192.168.9.0 255.255.255.0 10.248.200.2 1
route inside 192.168.11.0 255.255.255.0 10.248.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.248.92.75 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.