Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1268
  • Last Modified:

How do I open up my Cisco router/firewall to allow IMAP access to Exchange 2003 for Google Apps migration?

I'm in a small office with an Exchange server (Windows Small Business Server).  We want to transition to using Google Apps for email and want to migrate existing mail to Google.  It seems like the best way to do that is IMAP Migration.  http://www.google.com/support/a/bin/answer.py?hl=en&answer=57920

We have never used IMAP on the Exchange server.  I think I have IMAP enabled correctly in Exchange, but can't figure out how to punch a hole in the firewall.

We have a Cisco 2821 router with IOS 12.4 and SDM 2.3.4.  Can anyone help?
0
somacomm
Asked:
somacomm
  • 4
  • 3
1 Solution
 
ccomleyCommented:
IMAP uses TCP port 143, so you need

- a nat mapping connecting the Exchange Server to a public IP address, if it isn't already
- a firewall rule permitting Port 143 TCP inward access from anywhere.

0
 
Faruk Onder YerliCommented:
could you please send your entire 2821 configuration. we may help quickly you.
0
 
somacommAuthor Commented:
Here's the configuration (result of hitting "View Running Config" button on the SDM Home screen)

Building configuration...
 
Current configuration : 13857 bytes
!
! Last configuration change at 18:42:09 UTC Wed Apr 22 2009 by justin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SOMA-6TH-AVE-RTR
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$NSXT$dKPQemTYKIXidY4UhwQBz1
!
aaa new-model
!
!
aaa group server radius central3
 server 192.168.10.200 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login userauthen group central3 local
aaa authorization exec default local if-authenticated 
aaa authorization network groupauthor local 
!
aaa session-id common
!
!
ip cef
ip dhcp excluded-address 192.168.10.150 192.168.10.254
!
!
ip domain name somacomm.us
ip name-server 192.168.10.200
ip inspect name SDM-LOW smtp
ip inspect name SDM-LOW imap
ip inspect name SDM-LOW imaps
ip inspect name SDM-LOW imap3
ip inspect name SDM-LOW pop3
ip inspect name SDM-LOW pop3s
ip inspect name SDM-LOW https
ip inspect name SDM-LOW http
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username josfergu privilege 15 password 7 03275A063400321C1D594A
username justin privilege 15 password 7 044F020B1A364D5E
!
!
ip ftp source-interface GigabitEthernet0/1.20
ip ftp username anonymous
ip ftp password 7 1303181D2B0A0B256527273E
!
policy-map PUBLIC-IN
 class class-default
   police cir 256000 pir 384000
     conform-action transmit 
     exceed-action drop 
!
! 
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group somavpn
 key s0m@vpn
 dns 192.168.10.200
 domain somacomm.us
 pool vpn-pool
 acl 103
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac 
!
crypto dynamic-map dynmap 10
 set transform-set myset 
 reverse-route
!
!
crypto map somamap client authentication list userauthen
crypto map somamap isakmp authorization list groupauthor
crypto map somamap client configuration address respond
crypto map somamap 10 ipsec-isakmp dynamic dynmap 
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 64.122.203.157 255.255.255.0
 ip access-group 109 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 duplex full
 speed 100
 crypto map somamap
!
interface GigabitEthernet0/1
 no ip address
 duplex full
 speed 100
!
interface GigabitEthernet0/1.10
 description $FW_INSIDE$
 encapsulation dot1Q 10
 ip address 192.168.10.254 255.255.255.0
 ip access-group 107 in
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/1.20
 description $ETH-LAN$$FW_INSIDE$
 encapsulation dot1Q 20
 ip address 192.168.20.254 255.255.255.0
 ip access-group 108 in
 ip helper-address 192.168.10.200
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 service-policy input PUBLIC-IN
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
!
ip local pool vpn-pool 192.168.11.1 192.168.11.254
ip route 0.0.0.0 0.0.0.0 64.122.203.1
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.10.200 25 interface GigabitEthernet0/0 25
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.10.200 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.10.200 110 interface GigabitEthernet0/0 110
!
ip access-list extended INET-->IN
 permit tcp any host 64.122.203.157 eq 22
 permit esp any host 64.122.203.157
 permit udp any host 64.122.203.157 eq isakmp
 permit icmp any any echo-reply
 permit udp host 204.130.255.3 eq domain any
 permit udp host 64.122.32.71 eq domain any
 permit udp host 192.43.244.18 eq ntp any eq ntp
 permit udp host 131.107.1.10 eq ntp any eq ntp
 deny   ip any any log
ip access-list extended sdm_gigabitethernet0/1.20_in
 remark SDM_ACL Category=1
 remark Auto generated by SDM for NTP (123) 192.43.244.18
 permit udp host 192.43.244.18 eq ntp host 192.168.20.254 eq ntp
 remark Auto generated by SDM for NTP (123) 131.107.1.10
 permit udp host 131.107.1.10 eq ntp host 192.168.20.254 eq ntp
 deny   ip any 192.168.10.0 0.0.0.255
 deny   ip any 192.168.11.0 0.0.0.255
 permit ip any any
!
ip radius source-interface GigabitEthernet0/1.10 
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 20 remark SDM_ACL Category=16
access-list 20 permit 192.168.20.0 0.0.0.255
access-list 20 permit 192.168.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.10.200 eq 1812 any
access-list 100 permit udp host 192.168.10.200 eq 1813 any
access-list 100 permit udp host 192.168.10.200 eq 1812 host 192.168.10.254
access-list 100 permit udp host 192.168.10.200 eq 1813 host 192.168.10.254
access-list 100 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 100 permit udp host 192.43.244.18 eq ntp host 192.168.10.254 eq ntp
access-list 100 remark Auto generated by SDM for NTP (123) 131.107.1.10
access-list 100 permit udp host 131.107.1.10 eq ntp host 192.168.10.254 eq ntp
access-list 100 deny   ip 64.122.203.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=16
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 permit tcp any host 64.122.203.157 eq pop3
access-list 102 permit tcp any host 64.122.203.157 eq 443
access-list 102 permit tcp any host 64.122.203.157 eq smtp
access-list 102 permit tcp any host 64.122.203.157 eq 22
access-list 102 permit udp host 64.122.32.71 eq domain host 64.122.203.157
access-list 102 permit udp host 204.130.255.3 eq domain host 64.122.203.157
access-list 102 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 102 permit udp host 192.43.244.18 eq ntp host 64.122.203.157 eq ntp
access-list 102 remark Auto generated by SDM for NTP (123) 131.107.1.10
access-list 102 permit udp host 131.107.1.10 eq ntp host 64.122.203.157 eq ntp
access-list 102 permit ahp any host 64.122.203.157
access-list 102 permit esp any host 64.122.203.157
access-list 102 permit udp any host 64.122.203.157 eq isakmp
access-list 102 permit udp any host 64.122.203.157 eq non500-isakmp
access-list 102 permit icmp any host 64.122.203.157 echo-reply
access-list 102 permit icmp any host 64.122.203.157 time-exceeded
access-list 102 permit icmp any host 64.122.203.157 unreachable
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 log
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 103 permit ip 192.168.20.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny   ip any 192.168.11.0 0.0.0.255
access-list 104 deny   ip 192.168.20.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 104 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 104 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 permit ip 192.168.20.0 0.0.0.255 any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 permit tcp any host 64.122.203.157 eq smtp
access-list 106 permit tcp any host 64.122.203.157 eq 443
access-list 106 permit tcp any host 64.122.203.157 eq pop3
access-list 106 permit udp any eq domain host 64.122.203.157
access-list 106 permit tcp any eq www host 64.122.203.157
access-list 106 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 106 permit udp host 192.43.244.18 eq ntp host 64.122.203.157 eq ntp
access-list 106 remark Auto generated by SDM for NTP (123) 131.107.1.10
access-list 106 permit udp host 131.107.1.10 eq ntp host 64.122.203.157 eq ntp
access-list 106 permit ahp any host 64.122.203.157
access-list 106 permit esp any host 64.122.203.157
access-list 106 permit udp any host 64.122.203.157 eq isakmp
access-list 106 permit udp any host 64.122.203.157 eq non500-isakmp
access-list 106 deny   ip 192.168.10.0 0.0.0.255 any
access-list 106 permit icmp any host 64.122.203.157 echo-reply
access-list 106 permit icmp any host 64.122.203.157 time-exceeded
access-list 106 permit icmp any host 64.122.203.157 unreachable
access-list 106 deny   ip 10.0.0.0 0.255.255.255 any
access-list 106 deny   ip 172.16.0.0 0.15.255.255 any
access-list 106 deny   ip 192.168.0.0 0.0.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip host 0.0.0.0 any
access-list 106 deny   ip any any log
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 deny   ip 64.122.203.0 0.0.0.255 any
access-list 107 deny   ip 192.168.20.0 0.0.0.255 any
access-list 107 deny   ip host 255.255.255.255 any
access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
access-list 107 permit ip any any
access-list 108 remark auto generated by SDM firewall configuration
access-list 108 remark SDM_ACL Category=1
access-list 108 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 108 permit udp host 192.43.244.18 eq ntp host 192.168.20.254 eq ntp
access-list 108 remark Auto generated by SDM for NTP (123) 131.107.1.10
access-list 108 permit udp host 131.107.1.10 eq ntp host 192.168.20.254 eq ntp
access-list 108 deny   ip 64.122.203.0 0.0.0.255 any
access-list 108 deny   ip 192.168.10.0 0.0.0.255 any
access-list 108 deny   ip host 255.255.255.255 any
access-list 108 deny   ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
access-list 109 remark auto generated by SDM firewall configuration
access-list 109 remark SDM_ACL Category=1
access-list 109 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 permit ip 192.168.11.0 0.0.0.255 any
access-list 109 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 log
access-list 109 permit tcp any host 64.122.203.157 eq smtp
access-list 109 permit tcp any host 64.122.203.157 eq 443
access-list 109 permit tcp any host 64.122.203.157 eq pop3
access-list 109 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 109 permit udp host 192.43.244.18 eq ntp host 64.122.203.157 eq ntp
access-list 109 remark Auto generated by SDM for NTP (123) 131.107.1.10
access-list 109 permit udp host 131.107.1.10 eq ntp host 64.122.203.157 eq ntp
access-list 109 permit ahp any host 64.122.203.157
access-list 109 permit esp any host 64.122.203.157
access-list 109 permit udp any host 64.122.203.157 eq isakmp
access-list 109 permit udp any host 64.122.203.157 eq non500-isakmp
access-list 109 permit ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 109 deny   ip 192.168.10.0 0.0.0.255 any
access-list 109 deny   ip 192.168.20.0 0.0.0.255 any
access-list 109 permit udp any eq bootps any eq bootps
access-list 109 permit icmp any host 64.122.203.157 echo-reply
access-list 109 permit icmp any host 64.122.203.157 time-exceeded
access-list 109 permit icmp any host 64.122.203.157 unreachable
access-list 109 deny   ip 10.0.0.0 0.255.255.255 any
access-list 109 deny   ip 172.16.0.0 0.15.255.255 any
access-list 109 deny   ip 192.168.0.0 0.0.255.255 any
access-list 109 deny   ip 127.0.0.0 0.255.255.255 any
access-list 109 deny   ip host 255.255.255.255 any
access-list 109 deny   ip host 0.0.0.0 any
access-list 109 deny   ip any any log
access-list 199 remark SDM_ACL Category=16
access-list 199 permit ip any any
access-list 199 permit icmp any any
snmp-server community get#somanet RO 10
snmp-server location Soma 6th Ave Comm Closet
snmp-server contact Joshua Ferguson (425) 894-9012
!
route-map SDM_RMAP_2 permit 1
 match ip address 104
!
!
!
radius-server host 192.168.10.200 auth-port 1812 acct-port 1813 key 7 06155F2C4D5C081D041411
radius-server key 7 06155F2C4D5C081D041411
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 061207705F400C0D414307
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180460
ntp master 7
ntp server 192.43.244.18 source GigabitEthernet0/0
ntp server 131.107.1.10 source GigabitEthernet0/0 prefer
!
end

Open in new window

0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
somacommAuthor Commented:
FYI: IMAP Migration according to Google requires:

Open firewall for access to IMAP server - Google will not be able to access your IMAP server in order to 'pull' messages if your organization's firewall blocks access to the IMAP server port. Please open access to the following IPs:

    64.233.160.0/19
    66.102.0.0/20
    66.249.80.0/20
    72.14.192.0/18
    74.125.0.0/16
    209.85.128.0/17
    216.239.32.0/19

http://google.com/support/a/bin/answer.py?answer=135949
0
 
somacommAuthor Commented:
ccomley wrote:
IMAP uses TCP port 143, so you need
- a nat mapping connecting the Exchange Server to a public IP address, if it isn't already
- a firewall rule permitting Port 143 TCP inward access from anywhere.

Thanks.  Can you show me how to set up the NAT mapping and the firewall rule?
0
 
Faruk Onder YerliCommented:
please copy paste in your router in config mode. After it google can start to access your mail server.
interface GigabitEthernet0/0
no  ip access-group 109 in
 
no access-list 109
access-list 109 remark auto generated by SDM firewall configuration
access-list 109 remark SDM_ACL Category=1
access-list 109 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 109 permit ip 192.168.11.0 0.0.0.255 any
access-list 109 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 log
access-list 109 permit tcp any host 64.122.203.157 eq smtp
access-list 109 permit tcp any host 64.122.203.157 eq 443
access-list 109 permit tcp any host 64.122.203.157 eq pop3
 
access-list 109 remark **************** Google IMAP4 access ******************
access-list 109 permit tcp 64.233.160.0 0.0.31.255 host 64.122.203.157 eq 143
access-list 109 permit tcp 66.102.0.0   0.0.15.255 host 64.122.203.157 eq 143
access-list 109 permit tcp 66.249.80.0  0.0.15.255 host 64.122.203.157 eq 143
access-list 109 permit tcp 72.14.192.0  0.0.63.255 host 64.122.203.157 eq 143
access-list 109 permit tcp 74.125.0.0   0.0.255.255 host 64.122.203.157 eq 143
access-list 109 permit tcp 209.85.128.0 0.0.127.255 host 64.122.203.157 eq 143
access-list 109 permit tcp 216.239.32.0 0.0.31.255 host 64.122.203.157 eq 143
access-list 109 remark *******************************************************
 
access-list 109 remark Auto generated by SDM for NTP (123) 192.43.244.18
access-list 109 permit udp host 192.43.244.18 eq ntp host 64.122.203.157 eq ntp
access-list 109 remark Auto generated by SDM for NTP (123) 131.107.1.10
access-list 109 permit udp host 131.107.1.10 eq ntp host 64.122.203.157 eq ntp
access-list 109 permit ahp any host 64.122.203.157
access-list 109 permit esp any host 64.122.203.157
access-list 109 permit udp any host 64.122.203.157 eq isakmp
access-list 109 permit udp any host 64.122.203.157 eq non500-isakmp
access-list 109 permit ip 192.168.11.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 109 deny   ip 192.168.10.0 0.0.0.255 any
access-list 109 deny   ip 192.168.20.0 0.0.0.255 any
access-list 109 permit udp any eq bootps any eq bootps
access-list 109 permit icmp any host 64.122.203.157 echo-reply
access-list 109 permit icmp any host 64.122.203.157 time-exceeded
access-list 109 permit icmp any host 64.122.203.157 unreachable
access-list 109 deny   ip 10.0.0.0 0.255.255.255 any
access-list 109 deny   ip 172.16.0.0 0.15.255.255 any
access-list 109 deny   ip 192.168.0.0 0.0.255.255 any
access-list 109 deny   ip 127.0.0.0 0.255.255.255 any
access-list 109 deny   ip host 255.255.255.255 any
access-list 109 deny   ip host 0.0.0.0 any
access-list 109 deny   ip any any log
access-list 199 remark SDM_ACL Category=16
access-list 199 permit ip any any
access-list 199 permit icmp any any
 
ip nat inside source static tcp 192.168.10.200 143 interface GigabitEthernet0/0 143
 
interface GigabitEthernet0/0
  ip access-group 109 in

Open in new window

0
 
somacommAuthor Commented:
Thanks for the work you've  done here.  I've got to admit I'm a little wary of just pasting in a stranger's code (even from an expert).  Can you explain how I could make these changes via the SDM Wizard--that way it would validate commands in the process?  I'd feel much more confident about doing it that way.
0
 
Faruk Onder YerliCommented:
I never use sdm. For this reason i cant explain. But my changes is safe. Even i thought that if you are remote admin, system will not stop modify time. We just put one more nat and some lines on acl 109. I marked in acl which code i added
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now